Git-Crypt

We use git-crypt to ensure that application secrets are encrypted at rest in git.

Prerequisites

1. Install GPG
2. Install git-crypt
3. Generate a key pair, if you don’t have one already. The GitHub documentation is a good reference.
4. Push your public key to a key server: gpg --send-keys PUBKEYID
5. Add the pubkey to your GitHub account, again, following the documentation

Setup

• If the repository has not been setup before, please follow the git-crypt documentation to do so.

otherwise,

• Share your PUBKEYID with an existing member of your team. They will need to trust your key and add you to the repository (see the section below or git-crypt documentation above).

Adding gpg key to repo

The user that generated the gpg will need to do the following:

1. Run the following command and find the Key ID of the key you’ve just generated: gpg --list-secret-keys --keyid-format=long
2. Export the gpg key: gpg --armor --export --output ./<key id>.gpg <key id>
3. Send the exported .gpg to the existing member of the team.

The existing member of your team will need to do the following steps:

1. Branch the repo that you want to add the user to.
2. Download the exported gpg key from the user.
3. Import the key: gpg --import <key id>.gpg
4. Add the user git-crypt add-gpg-user <user email address>
5. push the changes and create a PR to merge the branch.

Usage

Once the above has been setup, update your local repository clone and unlock the secrets:

$ git pull
$ git-crypt unlock

From this point on, git-crypt operates transparently.

You can verify the status of files by using git-crypt status.

This page was last reviewed on 2 September 2024. It needs to be reviewed again on 2 March 2025 by the page owner #cloud-platform .

This page was set to be reviewed before 2 March 2025 by the page owner #cloud-platform. This might mean the content is out of date.