Learn how to gain more security in your git repository with the help of the git-secret tool.

If you use Git for much of your development needs, you should know there's a dirty little secret to be found. When you store things like database passwords, OAuth secret keys, and application secret-keys that data is stored in plain text--that's clearly a security breach in the waiting. To get around that you could use git-secret.
The git-secret tool allows you to encrypt files stored within a git repository. This is something every git power user should consider employing.
You can install git-secret on macOS, Red Hat derivatives, and most of the Debian derivatives (such as Ubuntu). I'm going to walk you through the process of installing and using git-secret on Ubuntu Server 18.04.
What you'll need
The only things you'll need to make this work are:
A running instance of Ubuntu Server (or a Debian derivative)
Git installed
A user with sudo access
SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
How to install git-secret
The first thing to be done is the installation of git-secret. You won't find this tool in the standard repository, so you first must add a third-party repo with the command:
echo "deb https://dl.bintray.com/sobolevn/deb git-secret main" | sudo tee -a /etc/apt/sources.list
Once that is taken care of, download the GPG key for the repository with the command:
wget -qO - https://api.bintray.com/users/sobolevn/keys/gpg/public.key | sudo apt-key add -
With the key added, install git-secret with the command:
sudo apt-get update && sudo apt-get install git-secret
How to create the GPG key
In order to use git-secret, you must first have a GPG keypair. If you don't have one on the server or desktop you are working on, create it with the command:
gpg --full-generate-key
First answer the questions regarding the key creation and then, when prompted, enter your name and email address. Once your GPG key is created, you're ready to start using git-secret.
How to use git-secret
The first thing you must do is initialize the git-secret repository with the command:
git-secret init
If you've not already initialized a git repository, you'll be warned to do so with the command:
git init
Once you've initialized Git, rerun the git-secret init command.
Next add the email address associated with your new GPG keypair with the command:
git-secret tell EMAIL
Where EMAIL is the email address associated with your GPG key.
Now you can add files to the secret repository with the command:
git-secret add FILES
Where FILES is the name(s) of the file or files you want to add. If adding more than one file, separate them with a space.
Once you've added all the necessary files, hide them with the command:
git-secret hide
At this point it is safe to commit your changes. It is recommended that you add the git secret hide command to your pre-commit hook, otherwise you might miss changes.
To unhide those files, issue the command:
git-secret reveal
How to add other users
If you need to add other users so they can decrypt and work with the files in your repository, the first thing you must do is import their GPG public key with the command:
gpg --import KEY.txt
Where KEY is the name of the users' public key.
Once the key has been imported, you can add them to the secrets repo with the command:
git-secret tell EMAIL
Where EMAIL is the email address associated with the newly-imported GPG key. With that done, those users you've added can work with the files in the repository, using their GPG key passphrase.
And that's the gist of installing and using git-secret. You're now one step closer to enjoying a more secure git experience.
Also see
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Windows 10 security: A guide for business leaders (TechRepublic Premium)
- How to install Git on Android (TechRepublic)
- How to add GitHub support to Jenkins (TechRepublic)
- How to sync files between locations with git-annex (TechRepublic)
- How to install GitHub Desktop (TechRepublic)
- GitHub: We're storing your open-source code in the frozen Arctic for 1,000 years (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)