Using Git Secret (with examples)
1: Initializing git-secret in a local repository
git secret init
Motivation:
The git secret init command initializes git-secret in a local repository. This is the first step in using git-secret to store private data securely in a Git repository.
Explanation:
The git secret init command sets up git-secret in the current local repository. It creates a .gitsecret directory in the root of the repository, which will store encrypted versions of the secret files.
Example output:
Initialized empty Git repository in /path/to/repo/.git/
git-secret initialized.
2: Granting access to the current Git user’s email
git secret tell -m
Motivation: Granting access to the current Git user’s email allows them to encrypt and decrypt secret files using git-secret.
Explanation:
The git secret tell -m command grants access to the current Git user’s email for git-secret operations. This means that the user with the specified email can encrypt and decrypt secret files in the repository.
Example output:
[user@example.com] <user@example.com>
3: Granting access by email
git secret tell email
Motivation: Granting access by email allows other Git users to encrypt and decrypt secret files using git-secret.
Explanation:
The git secret tell email command grants access to a specific email for git-secret operations. This means that the user with the specified email can encrypt and decrypt secret files in the repository.
Example output:
[email@example.com] <email@example.com>
4: Revoking access by email
git secret killperson email
Motivation: Revoking access by email ensures that specific users can no longer encrypt or decrypt secret files using git-secret.
Explanation:
The git secret killperson email command revokes access for a specific email. Once access is revoked, the user with the specified email can no longer encrypt or decrypt secret files in the repository.
Example output:
Revoked access for:
[email@example.com]
5: Listing emails with access to secrets
git secret whoknows
Motivation: Listing emails with access to secrets allows you to see which users can encrypt and decrypt secret files using git-secret.
Explanation:
The git secret whoknows command lists all the emails that have access to secrets in the repository. It shows which users can encrypt and decrypt secret files.
Example output:
[email@example.com]
[user@example.com]
6: Registering a secret file
git secret add path/to/file
Motivation: Registering a secret file allows git-secret to track and encrypt it in the repository.
Explanation:
The git secret add path/to/file command registers a secret file with git-secret. It adds the specified file to the list of files that git-secret will encrypt and manage.
Example output:
[path/to/file] : 1 new secret file(s) added.
7: Encrypting secrets
git secret hide
Motivation: Encrypting secrets ensures that they are securely stored in the Git repository and can only be decrypted by authorized users.
Explanation:
The git secret hide command encrypts all the registered secret files in the repository. It uses the authorized users’ public keys to encrypt the files, making them unreadable without the corresponding private keys.
Example output:
created: [path/to/file] (path/to/file.pub)
8: Decrypting secret files
git secret reveal
Motivation: Decrypting secret files allows authorized users to access the plaintext versions of the encrypted files.
Explanation:
The git secret reveal command decrypts all the encrypted secret files in the repository. Only authorized users with the corresponding private keys can successfully decrypt the files.
Example output:
revealed: [path/to/file]
Conclusion
In this article, we explored the different use cases of the git secret command. We covered initializing git-secret, granting and revoking access, listing emails with access, registering secret files, and encrypting and decrypting secrets. These examples demonstrate how git-secret can be used to securely store and manage private data in a Git repository.
