All about Git-Secret from scratch
Easily use, share and access your environment variables with security
What is Git-Secret?
Git-Secret is a tool that is used to manage API secrets, sure keys, URLs, and other private data that an application can’t afford to be breached. But not only this, this tool can be used to encrypt/decrypt any files as and when you push and pull from source control.
In other words we can say that- Git-Secret is a bash tool to store your private data in a git repo in an encrypted way. Wondering how it secures our data in this way? just keep reading this and you will get to know the beauty of Git secret…..
Why do we actually need such a tool?
No matter how big or small a project is, no matter if our team is too big or a single developer, we usually need some URLs, some secrets, passwords, or API keys which are secret parts of the app and we never want to share those with someone who we don’t know.
To solve this purpose, we use to store all this sort of data in some .env file, environment file or so. And then we either push these secrets on our git repo so that whoever is working on the project can take a pull and use them or maybe some of us use to share these secrets manually with our team members. Correct?
In case we choose to store our secrets or passwords unencrypted on our git repo or if we are sharing them manually with our team members through mail or any other tool, it is always a security risk to copy the secrets everywhere we checkout our repo. On the other hand, if we are sharing these variables manually, at first, these are not version controlled, filenames, locations, and passwords may change from time to time or some information appears and other information is removed. Due to this, it is neither easier to track the latest version of data nor it is secure for our application, That’s where git-secret comes into play.
How does git-secret solves this problem?
- Git secrets securely encrypt your variables file and store it inside your git repository, In this way, it also provides a history of changes in every commit.
- Instead of requiring any extra deployment operation, it just requires a private key to allow decryption and just with a single command to decrypt all the secret files.
Getting started with Git-Secret:
Now it’s time to go through some basic steps to set up git secret for our existing project or any new project and start encrypting/decrypting the secrets.
- The first most important step before starting with git-secret is to generate one gpg RSA key pair which contains one public key and one secret key pair liked with our email address which is used while creating this pair. This gpg configuration and secret pairs will be usually stored in our home directory. Don’t know what gpg is and how to generate this pair of keys? Don’t worry, we will be covering everything in this article going forward.
What is gpg and how to generate gpg RSA key pair?
GnuPG also known as gpg, is just another tool that helps us to manage public and private keys and also helps us to perform encryption, decryption and other verify operations.
Install GPG
Windows:
For windows, the Gpg4win application is recommended. The installer can be found on the Windows GnuPG installer (Gpg4win) download page. We just need to run the installer for the gpg to be available in our command prompt.
Mac:
The best and most recommended way to install gpg on Mac is using Mac Homebrew. You will need to install brew first if you don’t already have it and then run the below command:
brew install gnupg
After setting up gnupg on the system, we can now proceed with the setup of git-secret on our systems. Follow along for the same-
2. Installing Git-Secret
The first step here is to make sure that we have git installed on our systems. Most of the developers have it installed already. In order to verify the same. Run git --version. In case you don’t have git installed on your machine, don’t worry, please follow the instructions here to set up git at your end https://git-scm.com/book/en/v2/Getting-Started-Installing-Git.
Finally, we need to install git-secret-
Just run the below commands on mac to get it installed-
brew install git-secret or sudo apt-get update && sudo apt-get install git-secret
3. Add GPG key
Once we have gnupg and git-secret installed on our machine, now it’s time to generate a gpg key pair to encrypt our data. Run the below command in order to generate a gnupg key pair-
gpg — full-generate-keyWhen we run this command, we need to answer some questions like who you are, and what email address you would like to use to generate the key and a passphrase. Then we will be presented with a key pair by gpg, one public, and one private. Now we can move on to our next step.
4. Now, it’s time to set up git secret, in an existing or a new repository
At first, Initialize git-secret with the help of the below command in the expected repo you want it to be
git-secret initIn case, we are not having any local git repository, we will be prompted to create or initialize one with the help of the below command:
git initOnce this is done, try again to run the git-secret init command to proceed further.
Now, one of the most important steps is to add an email address associated with the new key pair we created before with the help of gpg command. Run the below command to achieve this-
git-secret tell xxx@anyemail.comPlease not that, this email should be same as the email we used while creating the gpg key pair.
5. Start adding files to the new secret repo
Now, it’s time to start adding our secrets file or our environment variables file, or whatever file we are using to sync our new git secret repo or the existing repo where we have set up git-secret. Run the below command for the same-
git-secret add filename.extWe can also add multiple files by just leaving a space in between file names like-
git-secret add file1.ext file2.ext file3.ext file4.extOnce we have added the files, now can securely encrypt these files using the below command-
git-secret hide6. Add entry in .gitignore
One of the most important steps is to add your secret file to .gitignore. Suppose we want to encrypt, then you want to add it to .gitignore so that we don't accidentally push it to source control. Also, git-secret will not let you add a file to the vault unless it is in your .gitignore.
6. Commit changes
Once we have securely encrypted our files, now it’s time for us to commit our changes (if you are not aware of how to commit changes and push to git, refer git official documentation for the same here https://git-scm.com/docs), so that these can be pushed securely on the repo and can also be accessed by other team members.
7. Decrypt the file
So far we have read about how we can encrypt our secret files. Now, it’s time to know, how we can actually decrypt the file. So we can do the same with the help of the below command-
git-secret reveal8. Adding users
Usually, we are working with several developers in our team. They all will need to access the secret file that we have pushed with git-secret to remain updated with the latest environment or secret variables. We can add users with git-secret with the help of the below commands-
At first, we need to add their public gpg key using the below command-
gpg — import key.txtOnce their key is entered with the above command, we can now go ahead and add them to the secrets repository using the below command:
git-secret tell abc@useremail.comThis command will link the user’s email with the user’s recently imported gpg public key. Once this is completed for all the authorized developers, in the same manner, they can now have access to the data in the repo.
Now all the added team members can have access to the secret encrypted data using the git reveal command that we look before. On firing this command they now need to enter the secure passphrase and then will be able to decrypt the files.
So that’s it.
You just set up everything required to utilize the capabilities of git-secret. From now onwards, instead of sharing the app secrets manually or pushing them on the repo, go ahead with tools like git-secret and make your app a secure one!
Thank you for reading! See ya ✌️
