Last Updated: February 25, 2016
·
2.912K
· destructuring

Managing your secrets with git

Since my home directory is under git and managed by chef, I can't store passwords in that git repo. I have a separate repository called secrets which contain keys, password, license files. It's hard to archive because I don't like juggling gpg and shirk away from copying the secrets to Dropbox or pushing to a private github repo.

A coworker showed me https://gist.github.com/873637/d098b2adccb221f8991e8b3044f1dc0a15903f57 which details how to apply an openssl encode/decode step when files are added to the staging or work area.

I got this to work with some tweaks.

The salts and passwords are stored in a file vault encrypted USB thumb drive. I put in the USB stick, type in the vault password, and its now available when I want to work with the encrypted repo. When I'm done, unmount the USB.

I clone the encrypted repo without plaintext workarea to Dropbox:

git clone --mirror . ~/Dropbox/secrets

I pay for a github account so I can have a private repository. Pushing files to github is also encrypted, no plaintext workareas.

The clean, smudge, and textconv commands are implemented as part of a custom git subcommand, "git filter". I also add install and clone commands to "git filter" to easily add encryption to a repo.

I should add a "git filter session" command to mount the USB drive, enter a subshell, and then unmount it when subshell ends. A "wipe" command would be nice to remove the plaintext workarea.

Of course, my OSX disks are all under whole disk file vault.

Written by Tom, Bom

Recommend
Say Thanks
Update Notifications Off
Respond