Skip to main content

Git-Crypt

We use git-crypt to ensure that application secrets are encrypted at rest in git.

Prerequisites

  1. Install GPG
  2. Install git-crypt
  3. Generate a key pair, if you don’t have one already. The GitHub documentation is a good reference.
  4. Push your public key to a key server: gpg --send-keys PUBKEYID
  5. Add the pubkey to your GitHub account, again, following the documentation

Setup

otherwise,

  • Share your PUBKEYID with an existing member of your team. They will need to trust your key and add you to the repository (see the section below or git-crypt documentation above).

Adding gpg key to repo

The user that generated the gpg will need to do the following:

  1. Run the following command and find the Key ID of the key you’ve just generated: gpg --list-secret-keys --keyid-format=long
  2. Export the gpg key: gpg --armor --export --output ./<key id>.gpg <key id>
  3. Send the exported .gpg to the existing member of the team.

The existing member of your team will need to do the following steps:

  1. Branch the repo that you want to add the user to.
  2. Download the exported gpg key from the user.
  3. Import the key: gpg --import <key id>.gpg
  4. Add the user git-crypt add-gpg-user <user email address>
  5. push the changes and create a PR to merge the branch.

Usage

Once the above has been setup, update your local repository clone and unlock the secrets:

$ git pull
$ git-crypt unlock

From this point on, git-crypt operates transparently.

You can verify the status of files by using git-crypt status.

This page was last reviewed on 2 September 2024. It needs to be reviewed again on 2 March 2025 by the page owner #cloud-platform .
This page was set to be reviewed before 2 March 2025 by the page owner #cloud-platform. This might mean the content is out of date.