git-secret
:busts_in_silhouette: A bash-tool to store your private data inside a git repository.
Top Related Projects
Quick Overview
Git Secret is a command-line tool that allows you to encrypt and decrypt files in a Git repository. It provides a secure way to store sensitive information, such as passwords, API keys, or other confidential data, within your Git repository.
Pros
- Encryption: Git Secret uses strong encryption algorithms (GPG) to protect your sensitive data.
- Decentralized: The encrypted files are stored directly in your Git repository, making it easy to share and collaborate on the project.
- Flexible: Git Secret supports various file types and can be integrated into your existing Git workflow.
- Open-source: The project is open-source, allowing for community contributions and transparency.
Cons
- Complexity: Setting up and managing Git Secret may have a steeper learning curve for some users.
- Dependency on GPG: Git Secret relies on the GPG (GNU Privacy Guard) tool, which needs to be installed and configured separately.
- Limited file size: There may be limitations on the size of files that can be encrypted using Git Secret.
- Potential for human error: Improper usage or configuration of Git Secret could lead to data loss or security breaches.
Code Examples
N/A (This is not a code library)
Getting Started
To get started with Git Secret, follow these steps:
-
Install the required dependencies:
- Git
- GPG (GNU Privacy Guard)
-
Install Git Secret:
- On macOS, you can use Homebrew:
brew install git-secret - On Linux, you can use your package manager (e.g.,
apt-get install git-secret) - On Windows, you can use Chocolatey:
choco install git-secret
- On macOS, you can use Homebrew:
-
Initialize Git Secret in your repository:
git secret init -
Add files to be encrypted:
git secret add <file1> <file2> ... -
Encrypt the files:
git secret hide -
Commit the encrypted files to your Git repository:
git add . git commit -m "Add encrypted files" git push -
To decrypt the files, use the following command:
git secret reveal -
Optionally, you can add or remove users who have access to the encrypted files:
git secret tell <user_email> git secret killperson <user_email>
For more detailed information and advanced usage, please refer to the Git Secret documentation.
Competitor Comparisons
Transparent file encryption in git
Pros of AGWA/git-crypt
- Transparent Encryption: AGWA/git-crypt automatically encrypts and decrypts files based on the Git repository's configuration, making it transparent to the user.
- Flexible Configuration: AGWA/git-crypt allows for fine-grained control over which files are encrypted, using patterns and regular expressions.
- Compatibility: AGWA/git-crypt is compatible with various Git hosting services, including GitHub, GitLab, and Bitbucket.
Cons of AGWA/git-crypt
- Complexity: AGWA/git-crypt may have a steeper learning curve compared to sobolevn/git-secret, as it offers more advanced configuration options.
- Dependency on GPG: AGWA/git-crypt relies on the GPG (GNU Privacy Guard) tool for key management, which may not be suitable for all users.
- Lack of Automated Key Rotation: AGWA/git-crypt does not provide built-in support for automated key rotation, which can be important for security.
Code Comparison
Here's a brief code comparison between the two projects:
AGWA/git-crypt (Initialization):
git-crypt init
sobolevn/git-secret (Initialization):
git secret init
The main difference is that AGWA/git-crypt uses the git-crypt init command to initialize the repository for encryption, while sobolevn/git-secret uses the git secret init command.
Safely store secrets in Git/Mercurial/Subversion
Pros of Blackbox
- Blackbox supports multiple encryption tools, including GPG and Keybase, allowing for more flexibility in encryption methods.
- Blackbox has a larger community and more contributors compared to Git Secret, potentially leading to more active development and support.
- Blackbox provides a more comprehensive set of features, including support for secrets rotation and key revocation.
Cons of Blackbox
- Blackbox has a steeper learning curve compared to Git Secret, as it requires more configuration and setup.
- Blackbox may be less lightweight and more complex than Git Secret, which could be a drawback for simpler use cases.
- Blackbox's reliance on external encryption tools, such as GPG, may be a disadvantage for users who prefer a more integrated solution.
Code Comparison
Git Secret:
def tell(filenames, passphrase):
"""Encrypts the given files using the provided passphrase."""
for filename in filenames:
encrypt_file(filename, passphrase)
print(f'File {filename} has been encrypted.')
Blackbox:
def encrypt_file(filename, recipients):
"""Encrypts the given file for the specified recipients."""
with open(filename, 'rb') as f:
plaintext = f.read()
ciphertext = gpg.encrypt(plaintext, recipients, always_trust=True, output=filename + '.gpg')
if ciphertext.ok:
os.remove(filename)
Simple and flexible tool for managing secrets
Pros of SOPS
- SOPS supports a wide range of encryption backends, including AWS KMS, GCP KMS, Azure Key Vault, and more, allowing for greater flexibility in key management.
- SOPS provides a command-line interface (CLI) for easy integration into build and deployment workflows.
- SOPS supports multiple file formats, including YAML, JSON, and binary formats, making it versatile for different project requirements.
Cons of SOPS
- SOPS may have a steeper learning curve compared to Git Secret, as it requires understanding the various encryption backends and configuration options.
- SOPS may have a larger dependency footprint, as it relies on external libraries and tools for its functionality.
- SOPS may not be as tightly integrated with Git as Git Secret, which is designed specifically for use with Git repositories.
Code Comparison
Git Secret:
def tell(paths, passphrase):
"""Encrypts the given files using the provided passphrase."""
for path in paths:
with open(path, 'rb') as f:
data = f.read()
encrypted = encrypt(data, passphrase)
with open(path + '.secret', 'wb') as f:
f.write(encrypted)
SOPS:
func Encrypt(data []byte, keygroups []sops.KeyGroup) ([]byte, error) {
tree, err := sops.LoadEncryptedFile(data)
if err != nil {
return nil, err
}
tree, err = tree.Encrypt(keygroups)
if err != nil {
return nil, err
}
return tree.Bytes()
}
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
git-secret
What is git-secret?
git-secret is a bash tool which stores private data inside a git repo.
git-secret encrypts files with permitted users' public keys,
allowing users you trust to access encrypted data using pgp and their secret keys.
With git-secret, changes to access rights are simplified, and private-public key issues are handled for you.
When someone's permission is revoked, secrets do not need to be changed with git-secret -
just remove their key from the repo's keyring using git secret removeperson their@email.com,
re-encrypt the files, and they won't be able to decrypt secrets anymore.
If you think the user might have copied the secrets or keys when they had access, then
you should also change the secrets.
Preview
Installation
git-secret supports brew, just type: brew install git-secret
It also supports apt and yum. You can also use make if you want to.
See the installation section for the details.
Requirements
git-secret relies on several external packages:
bashsince3.2.57(it is hard to tell the correctpatchrelease)gawksince4.0.2gitsince1.8.3.1gpgsincegnupg 1.4tognupg 2.Xsha256sumsince8.21(on freebsd and MacOSshasumis used instead)
Contributing
Do you want to help the project? Find an issue and send a PR. It is more than welcomed! See CONTRIBUTING.md on how to do that.
Security
In order to encrypt (git-secret hide -m) files only when modified, the path
mappings file tracks sha256sum checksums of the files added (git-secret add) to
git-secret's path mappings filesystem database. Although, the chances of
encountering a sha collision are low, it is recommend that you pad files with
random data for greater security. Or avoid using the -m option altogether.
If your secret file holds more data than just a single password these
precautions should not be necessary, but could be followed for greater
security.
If you found any security related issues, please do not disclose it in public. Send an email to mail@sobolevn.me
Changelog
git-secret uses semver. See CHANGELOG.md.
Packagers
Thanks to all the people and groups who package git-secret for easier install on particular OSes and distributions!
Here are some packagings of git-secret that we're aware of:
- https://formulae.brew.sh/formula/git-secret
- https://packages.ubuntu.com/bionic/git-secret
- https://src.fedoraproject.org/rpms/git-secret
- https://aur.archlinux.org/packages/git-secret/
- https://pkgs.alpinelinux.org/package/edge/testing/x86/git-secret
- https://packages.debian.org/sid/git-secret
- https://github.com/void-linux/void-packages/blob/master/srcpkgs/git-secret/template
Such packages are considered 'downstream' because the git-secret code 'flows' from the git-secret repository
to the various rpm/deb/dpkg/etc packages that are created for specific OSes and distributions.
We have also added notes specifically for packagers in CONTRIBUTING.md.
Sponsors
Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]
Backers
Thanks to all our backers!
Contributors
This project exists thanks to all the people who contribute. [Contribute].
License
MIT. See LICENSE.md for details.
Thanks
Special thanks to Elio Qoshi from ura for the awesome logo.
Top Related Projects
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot