git-crypt to ensure that application secrets are encrypted at rest in git.
- Install GPG
- Install git-crypt
- Generate a key pair, if you don’t have one already. The GitHub documentation is a good reference.
- Push your public key to a key server:
gpg --send-keys PUBKEYID
- Add the pubkey to your GitHub account, again, following the documentation
- If the repository has not been setup before, please follow the git-crypt documentation to do so.
- Share your
PUBKEYIDwith an existing member of your team. They will need to trust your key and add you to the repository (see the section below or git-crypt documentation above).
Adding gpg key to repo
The user that generated the gpg will need to do the following:
- Run the following command and find the Key ID of the key you’ve just generated:
gpg --list-secret-keys --keyid-format=long
- Export the gpg key:
gpg --armor --export --output ./<key id>.gpg <key id>
- Send the exported .gpg to the existing member of the team.
The existing member of your team will need to do the following steps:
- Branch the repo that you want to add the user to.
- Download the exported gpg key from the user.
- Import the key:
gpg --import <key id>.gpg
- Add the user
git-crypt add-gpg-user <user email address>
pushthe changes and create a PR to merge the branch.
Once the above has been setup, update your local repository clone and unlock the secrets:
$ git pull
$ git-crypt unlock
From this point on,
git-crypt operates transparently.
You can verify the status of files by using