How to install and use git-secret

Learn how to gain more security in your git repository with the help of the git-secret tool.

How to install and use git-secret

If you use Git for much of your development needs, you should know there's a dirty little secret to be found. When you store things like database passwords, OAuth secret keys, and application secret-keys that data is stored in plain text--that's clearly a security breach in the waiting. To get around that you could use git-secret.

The git-secret tool allows you to encrypt files stored within a git repository. This is something every git power user should consider employing. 

You can install git-secret on macOS, Red Hat derivatives, and most of the Debian derivatives (such as Ubuntu). I'm going to walk you through the process of installing and using git-secret on Ubuntu Server 18.04.

What you'll need

The only things you'll need to make this work are:

  • A running instance of Ubuntu Server (or a Debian derivative)

  • Git installed

  • A user with sudo access

SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)

How to install git-secret

The first thing to be done is the installation of git-secret. You won't find this tool in the standard repository, so you first must add a third-party repo with the command:

echo "deb git-secret main" | sudo tee -a /etc/apt/sources.list

Once that is taken care of, download the GPG key for the repository with the command:

wget -qO - | sudo apt-key add -

With the key added, install git-secret with the command:

sudo apt-get update && sudo apt-get install git-secret

How to create the GPG key

In order to use git-secret, you must first have a GPG keypair. If you don't have one on the server or desktop you are working on, create it with the command:

gpg --full-generate-key

First answer the questions regarding the key creation and then, when prompted, enter your name and email address. Once your GPG key is created, you're ready to start using git-secret.

How to use git-secret

The first thing you must do is initialize the git-secret repository with the command:

git-secret init

If you've not already initialized a git repository, you'll be warned to do so with the command:

git init

Once you've initialized Git, rerun the git-secret init command.

Next add the email address associated with your new GPG keypair with the command:

git-secret tell EMAIL

Where EMAIL is the email address associated with your GPG key.

Now you can add files to the secret repository with the command:

git-secret add FILES

Where FILES is the name(s) of the file or files you want to add. If adding more than one file, separate them with a space.

Once you've added all the necessary files, hide them with the command:

git-secret hide

At this point it is safe to commit your changes. It is recommended that you add the git secret hide command to your pre-commit hook, otherwise you might miss changes.

To unhide those files, issue the command:

git-secret reveal

How to add other users

If you need to add other users so they can decrypt and work with the files in your repository, the first thing you must do is import their GPG public key with the command:

gpg --import KEY.txt

Where KEY is the name of the users' public key.

Once the key has been imported, you can add them to the secrets repo with the command:

git-secret tell EMAIL

Where EMAIL is the email address associated with the newly-imported GPG key. With that done, those users you've added can work with the files in the repository, using their GPG key passphrase.

And that's the gist of installing and using git-secret. You're now one step closer to enjoying a more secure git experience.

Also see

Internet security and data protection concept, blockchain.

Image: iStockphoto/anyaberkut