How to install and use git-secret
Learn how you can get more security in your git repository using the git secret tool.
Image: iStockphoto / anyaberkut
If you use Git for many of your development needs, you need to know that there is a dirty secret to be found. When you save things such as database passwords, secret OAuth keys and secret keys of the application, data is stored in plain text – that is clearly a security breach. To get around that, you could use git-secret.
With the git secret tool you can encrypt files that are stored in a git repository. This is something that every git power user should consider hiring.
You can install git-secret on macOS, Red Hat derivatives and most Debian derivatives (such as Ubuntu). I will guide you through the process of installing and using git-secret on Ubuntu Server 18.04.
What you need
The only things you need to make this work are:
SEE: Mastermind scammer behind Catch Me If You Can talks about cyber security (TechRepublic download)
How to install git-secret
The first thing to do is install git-secret. You will not find this tool in the standard repository, so you must first add an external repo with the command:
echo “deb https://dl.bintray.com/sobolevn/deb git-secret main” | sudo tee -a /etc/apt/sources.list
Once that has been arranged, download the GPG key for the repository with the command:
wget -qO – https://api.bintray.com/users/sobolevn/keys/gpg/public.key | add sudo apt-key –
Add the key and install git-secret with the command:
sudo apt-get update && sudo apt-get install git-secret
How to make the GPG key
To use git-secret, you must first have a GPG keypair. If you don’t have one on the server or desktop you are working on, create it with the command:
gpg – generate full-key
First answer the questions about creating the key and then enter your name and email address when prompted. Once your GPG key has been created, you are ready to use git-secret.
How to use git-secret
The first thing to do is initialize the git secret repository with the command:
git secret init
If you have not initialized a git repository yet, you will be warned to do this with the command:
git init
After you initialize Git, run the git-secret init command again.
Then add the email address associated with your new GPG keypair with the command:
git-secret tell EMAIL
Where EMAIL is the e-mail address associated with your GPG key.
Now you can add files to the secret repository with the command:
git-secret add FILES
Where FILES is the name (s) of the file or files that you want to add. If you add more than one file, separate them with a space.
After you have added all the necessary files, hide them with the command:
git secret blockage
At this time it is safe to implement your changes. It is recommended that you add the git secret hide command to your pre-commit hook, otherwise you may miss changes.
To make these files visible, give the command:
reveal git-secret
How to add other users
If you need to add other users so that they can decrypt and work with the files in your repository, you must first import their public GPG key with the command:
gpg –import KEY.txt
Where KEY is the name of the user’s public key.
After the key is imported, you can add it to the secret repo with the command:
git-secret tell EMAIL
Where EMAIL is the email address associated with the newly imported GPG key. Once that is done, the users you have added can work with the files in the repository, using their GPG key password.
And that is the core of installing and using git-secret. You are now one step closer to enjoying a safer git experience.
Cyber Security Insider Newsletter
Strengthen the IT security of your organization by staying up to date with the latest news, solutions and best practices for cyber security.
Delivered on Tuesday and Thursday
Register today