Last Updated: April 20, 2021
· sobolevn

Store your private data inside a git repository

There’s a known problem in server configuration and deploying, when you have to store your private data such as: database passwords, application secret-keys, OAuth secret keys and so on, outside of the git repository. Even if this repository is private, it is a security risk to just publish them into the world wide web. What are the drawbacks of storing them separately?

These files are not version controlled. Filenames change, locations change, passwords change from time to time, some new information appears, other is removed. And you can not tell for sure which version of the configuration file was used with each commit.
When building the automated deployment system there will be one extra step: download and place these secret-configuration files where they need to be. So you have to maintain an extra secure server, where everything is stored.

How does git-secret solve these problems?

git-secret encrypts files and stores them inside the git repository, so you will have all the changes for every commit.
git-secret doesn’t require any other deploy operations rather than git secret reveal, so it will automatically decrypt all the required files.

What is git-secret?

git-secret is a bash tool to store your private data inside a git repo. How’s that? Basically, it just encrypts, using gpg, the tracked files with the public keys of all the users that you trust. So everyone of them can decrypt these files using only their personal secret key. Why deal with all this private-public keys stuff? Well, to make it easier for everyone to manage access rights. There are no passwords that change. When someone is out - just delete his public key, reencrypt the files, and he won’t be able to decrypt secrets anymore.


These steps cover the basic process of using git-secret:

  1. Before starting, make sure you have created gpg RSA key-pair: public and secret key identified by your email address.
  2. Initialize git-secret repository by running git secret init command. .gitsecret/ folder will be created.
  3. Add first user to the system by running git secret tell
  4. Now it's time to add files you wish to encrypt inside the git-secret repository. It can be done by running git secret add <filenames...> command. Make sure these files are ignored, otherwise git secret won't allow you to add them, as these files will be stored unencrypted.
  5. When done, run git secret hide all files, which you have added by git secret add command will be encrypted with added public-keys by the git secret tell command. Now it is safe to commit your changes. But. It's recommended to add git secret hide command to your pre-commit hook, so you won't miss any changes.
  6. Now decrypt files with git secret reveal command. It will ask you for your password. And you're done!

Check out docs for more information.