Sometime you may want to store secrets in git repository and keep track of changes history. For example you may want to store a production configuration or any other sensitive information.
You may already know that git-crypt may be your friend in this case. But what you can do in case if you developing software using Windows platform like I'm doing this? That's may be a problem to use this nice tool on Windows OS.
You may find binaries for git-crypt somewhere on the internet, but would you trust to such binaries? I believe not.
What can we do in this case? We can build our own binary and test it on our repository.
In this article we will build such binary and will do few experiments to check that it will work for us.
Building
To build the git-crypt we will need to perform:
- Install msys2 following steps from http://www.msys2.org/
- Update packages (this information also can be found following the link above) using:
pacman -Syu - Update core packages using
pacman -Su - Re-open your msys2 shell and repeatedly run command below until you will have message that you have no more updates:
pacman -Syuu - Install gcc and common build tools using:
pacman -S --needed base-devel mingw-w64-i686-toolchain mingw-w64-x86_64-toolchain \
git subversion mercurial \
mingw-w64-i686-cmake mingw-w64-x86_64-cmake
- Add /mingw64/bin and /mingw32/bin (in this order) to your PATH using:
export PATH=$PATH:/mingw64/bin:/mingw32/bin - Check that g++ is available and accessible using:
g++ --version - Clone git-crypt repository using command
git clone https://github.com/AGWA/git-crypt.git - Go to folder with source of git-crypt using:
cd git-crypt - For static build with all dependencies linked to git-crypt.exe please run command below. This will create pretty big file (in my case it has size of 12.4 Mb) but it's more convenient from my point of view to have standalone file that just works. Command to build:
make LDFLAGS="-static-libstdc++ -static -lcrypto.dll" - After build will be finished you may find git-crypt.exe in current folder.
Configuration
You may want to put git-crypt.exe in some folder and then configure it to be discoverable from PATH environment variable for your Windows user or for all users in system.
Then you may check in command line that this great tool is accessible by executing:
git-crypt --help
Usage
Please go to your git folder and issue:
git-crypt init
After this you may want to configure which files will be encrypted before pushing your code by editing .gitattributes file:
For example to recursively encrypt all files in folder sensitive which is located in your root folder you will need to add line:
sensitive/** filter=git-crypt diff=git-crypt
To check that your files will be encrypted you can use:
git-crypt status
Then you can perform commit, push your code and double check that your files will be encrypted. By validating what is visible in your GitHub / GitLab.
In my case I exported encryption key using command:
git-crypt export-key e:\mydocs\git-crypt\some.secret
Then you may want to check that after checkout you will be able to decrypt sensitive files. To do this you may checkout your code in separate folder and after doing this you will find your secret files encrypted. To decrypt them using configuration that I'm following you will need to execute:
git-crypt unlock e:\mydocs\git-crypt\some.secret
Conclusion
- git-crypt is a great tool to store secrets and sensitive information in a git repository
- It's absolutely transparent in use and you always will be able to edit your files with sensitive information
- After you will push your code you will see in your GitHub / GitLab that your information is encrypted
- We have a way to build git-crypt from source files avoiding download of suspicious files created by some unknown person in internet. Which is especially important when we dealing with secrets.
Enjoy.
No comments:
Post a Comment