{"id":13826833,"url":"https://github.com/jswidler/lockgit","last_synced_at":"2025-07-09T01:31:38.936Z","repository":{"id":53849316,"uuid":"154162780","full_name":"jswidler/lockgit","owner":"jswidler","description":"A CLI tool for storing encrypted data in a git repo","archived":false,"fork":false,"pushed_at":"2023-02-25T09:09:32.000Z","size":268,"stargazers_count":128,"open_issues_count":3,"forks_count":1,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-08-05T09:15:42.224Z","etag":null,"topics":["encrypt-secrets","git","lockgit","secret","secret-management","store-secrets","vault"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jswidler.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-10-22T14:55:48.000Z","updated_at":"2024-04-09T06:08:38.000Z","dependencies_parsed_at":"2024-01-15T15:48:14.523Z","dependency_job_id":"e3071c87-f973-42fc-95f5-7a2cd76a6e9f","html_url":"https://github.com/jswidler/lockgit","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jswidler%2Flockgit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jswidler%2Flockgit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jswidler%2Flockgit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jswidler%2Flockgit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jswidler","download_url":"https://codeload.github.com/jswidler/lockgit/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225476383,"owners_count":17480215,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["encrypt-secrets","git","lockgit","secret","secret-management","store-secrets","vault"],"created_at":"2024-08-04T09:01:45.080Z","updated_at":"2024-11-20T05:31:11.901Z","avatar_url":"https://github.com/jswidler.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"\u003cimg src=\"./images/lockgit.png\" alt=\"LockGit\" width=\"400px\"\u003e\n\n[![License](https://img.shields.io/github/license/jswidler/lockgit)](https://github.com/jswidler/lockgit/blob/master/LICENSE)\n[![Release](https://img.shields.io/github/v/release/jswidler/lockgit)](https://github.com/jswidler/lockgit/releases)\n[![CircleCI](https://img.shields.io/circleci/build/github/jswidler/lockgit/master)](https://circleci.com/gh/jswidler/lockgit/tree/master)\n[![Go Report](https://goreportcard.com/badge/github.com/jswidler/lockgit)](https://goreportcard.com/report/github.com/jswidler/lockgit)\n[![Go Lang](https://img.shields.io/github/go-mod/go-version/jswidler/lockgit)](https://golang.org)\n\nLockGit is intended to be used with source control to safely store secrets using encryption,\nso the secrets are unreadable to anyone who has access to the repository but does not have the key.\n\n#\n\n## Table of Contents\n\n* [Getting Started](#getting-started)\n  * [Installation](#installation)\n  * [List of commands](#list-of-commands)\n* [Using LockGit](#using-lockgit)\n  * [Initialize a vault](#initialize-a-vault)\n  * [Add secrets](#add-secrets)\n  * [Use source control](#use-source-control)\n  * [Delete and Restore plaintext secrets](#delete-and-restore-plaintext-secrets)\n  * [Share the key with someone else](#share-the-key-with-someone-else)\n  * [Make changes to your secrets](#make-changes-to-your-secrets)\n* [Security](#security)\n  * [Encryption](#encryption)\n  * [Files](#files)\n  * [Other safety](#other-safety)\n\n## Getting Started\nStoring secrets in Git is dangerous and sometimes even considered a bad practice.\nYet, many people require a place to store secrets and git is a useful tool that we\nare used to using. So - enter __LockGit__, a tool to make it easy to use encryption\nto safely store secrets in a Git repository.\n\n### Installation\n\nLockGit can be installed as a binary with either Homebrew on OSX or Linuxbrew on Linux.\n\n```\nbrew install jswidler/tap/lockgit\n```\n\nYou can also build from source with `go get github.com/jswidler/lockgit`.  Bash and zsh completion are installed for you if you use brew, so that is the preferred method.\n\n### List of commands\n\n```\nUsage:\n  lockgit [command]\n\nAvailable Commands:\n  init        Initialize a lockgit vault\n  set-key     Set the key for the current vault\n  reveal-key  Reveal the lockgit key for the current repo\n  delete-key  Delete the key for the current vault\n  add         Add files and glob patterns to the vault\n  rm          Remove files and globs patterns from the vault\n  status      Check if tracked files match the ones in the vault\n  commit      Commit changes of tracked files to the vault\n  open        Decrypt and restore secrets in the vault\n  close       Delete plaintext secrets\n  ls          List the files in the lockgit vault\n  globs       List the saved glob patterns in the vault\n  help        Help about any command\n```\n\n\n## Using LockGit\n\nSuppose there is a small project with the following files in it.  \n\n```\nmyserverconfig\n├── config\n│   ├── config.yml\n│   ├── creds.json\n│   └── tls\n│       ├── cert.pem\n│       ├── chain.pem\n│       ├── fullchain.pem\n│       └── privkey.pem\n└── nginx.conf\n```\n \nSome of the files are too sensitive to check into Git without encryption. Let's encrypt them with LockGit.\n \n\n##### Initialize a vault\nFirst, initialize a new vault in the `myserverconfig` directory:\n \n```\n$ lockgit init\nInitialized empty lockgit vault in /home/myserverconfig/.lockgit\nKey added to /Users/jesse/.lockgit.yml\n```\n\n##### Add secrets\nNext, add the secrets to it\n\n```\n$ lockgit add '**/creds.json' '**/*.pem'\nadded file 'config/creds.json' to vault\nadded file 'config/tls/chain.pem' to vault\nadded file 'config/tls/cert.pem' to vault\nadded file 'config/tls/privkey.pem' to vault\nadded file 'config/tls/fullchain.pem' to vault\nadded glob pattern '**/*.pem' to vault\nadded glob pattern '**/creds.json' to vault\n```\nWe can see what secrets are in the vault with either `lockgit ls` or `lockgit status` .\n\n```\n$ lockgit status\n            FILE           | UPDATED |    PATTERN    |                ID\n+--------------------------+---------+---------------+----------------------------------+\n  config/creds.json        | false   | **/creds.json | Oov8Rpf2YOU0mEQhGlHeDCzFHXRtkFnu\n  config/tls/cert.pem      | false   | **/*.pem      | miehMYgqYtIVGMpVnss4ZZzlAQRpZAVd\n  config/tls/chain.pem     | false   | **/*.pem      | m4_U5mtAOlEuXL5raxvWHRxBq2vq24Q3\n  config/tls/fullchain.pem | false   | **/*.pem      | a1r4uoyv0XQpeltE7NjWD_93ufb27gzK\n  config/tls/privkey.pem   | false   | **/*.pem      | BT19Sb8kQxx5Ztp20cX4IJQEAJE5vAkp\n```\n\n\nThe files have been encrypted and stored in the `.lockgit` directory.  It currently looks\nsomething like this:\n\n```\n.lockgit/\n├── data\n│   ├── BT19Sb8kQxx5Ztp20cX4IJQEAJE5vAkp\n│   ├── Oov8Rpf2YOU0mEQhGlHeDCzFHXRtkFnu\n│   ├── a1r4uoyv0XQpeltE7NjWD_93ufb27gzK\n│   ├── m4_U5mtAOlEuXL5raxvWHRxBq2vq24Q3\n│   └── miehMYgqYtIVGMpVnss4ZZzlAQRpZAVd\n├── lgconfig\n└── manifest\n``` \n\n##### Use source control\nYou should check the entire `.lockgit` folder into source control.  \n\nLockGit can also update `.gitignore` as you use it, which helps prevent accidentally checking in your secrets.  `**/creds.json`, `**/*.pem` have both been added to it in our example\n\n##### Delete and Restore plaintext secrets\nDelete and restore your secrets with `lockgit close` and `lockgit open`.\n\n##### Share the key with someone else\nTo see the key, use \n```\n$ lockgit reveal-key\nFA633KF422AXETBBMXUZYNXZDXN4VRKSE4TI4N2KTXYHV6MUAHQA\n```  \n\nTo use this key to unlock the vault, use `set-key`\n\n```\n$ lockgit set-key FA633KF422AXETBBMXUZYNXZDXN4VRKSE4TI4N2KTXYHV6MUAHQA\n```\n\nThe key is saved to your home directory in the config file `~/.lockgit.yml` (unless you\noverrode this location from the command line).  You can remove the key from the config\nfile by using `delete-key`.  Be wary that this will delete your key, so if it isn't written\ndown somewhere, you will lose the contents of the vault.\n\n\n##### Make changes to your secrets\nAfter you update a secret, lockgit can detect the change.\n\n```\n$ lockgit status\n            FILE           | UPDATED |    PATTERN    |                ID\n+--------------------------+---------+---------------+----------------------------------+\n  config/creds.json        | true    | **/creds.json | 2HDEn74HAAws-D1Y2HS1ak7e0xGSo7kN\n  config/tls/cert.pem      | false   | **/*.pem      | miehMYgqYtIVGMpVnss4ZZzlAQRpZAVd\n  config/tls/chain.pem     | false   | **/*.pem      | m4_U5mtAOlEuXL5raxvWHRxBq2vq24Q3\n  config/tls/fullchain.pem | false   | **/*.pem      | a1r4uoyv0XQpeltE7NjWD_93ufb27gzK\n  config/tls/privkey.pem   | false   | **/*.pem      | BT19Sb8kQxx5Ztp20cX4IJQEAJE5vAkp\n```\n\nTo update the encrypted secret, first use `lockgit commit`\n\n```\n$ lockgit commit\nconfig/creds.json updated\n```\n\nThen commit the changes to source control.  In this case there will be three changes:\n\n```\ndeleted:    .lockgit/data/2HDEn74HAAws-D1Y2HS1ak7e0xGSo7kN\nnew file:   .lockgit/data/Ik0gMeLDyIsIZNmNIEoeLzuH22kG2Cdp\nmodified:   .lockgit/manifest\n```\n\nThe two files in `.lockgit/data` are the encrypted secrets.\n\nThe manifest is a text file that can be easily examined.  This makes it possible to\nsee what secrets people are changing when reviewing commits.\n\n```\n$ cat .lockgit/manifest\nIk0gMeLDyIsIZNmNIEoeLzuH22kG2Cdp\tconfig/creds.json\nmiehMYgqYtIVGMpVnss4ZZzlAQRpZAVd\tconfig/tls/cert.pem\nm4_U5mtAOlEuXL5raxvWHRxBq2vq24Q3\tconfig/tls/chain.pem\na1r4uoyv0XQpeltE7NjWD_93ufb27gzK\tconfig/tls/fullchain.pem\nBT19Sb8kQxx5Ztp20cX4IJQEAJE5vAkp\tconfig/tls/privkey.pem\n```\n\n## Security\n\n### Encryption\n\nLockGit works using by saving data files in the `.lockgit/data` directory with 256 bit AES encryption in CFB mode. Each\nencrypted file contains the contents of one file in the vault. The encrypted file also contains metadata with the\nrelative path and permissions of the file which are used when recreating the file. The contents of the data files are\ncompressed with zlib before encrypted.\n\nThe AES initialization vector is randomized each time a file is encrypted; therefore a different file is produced each\ntime a file is encrypted even if the contents are the same. Because the relative path is also stored in the encrypted\nfile, these files cannot be reused if a file moves, but is not changed. This is by design; so that edits to the\nmanifest cannot cause the secrets to end up in unexpected places.\n\nA key to a LockGit vault is a 256 bit AES key. In text form, it is a 52 character base32 encoded string.\n\n2\u003csup\u003e256\u003c/sup\u003e (about 10\u003csup\u003e77\u003c/sup\u003e) key possibilities is a lot. There are about 2\u003csup\u003e80\u003c/sup\u003e (10\u003csup\u003e21\u003c/sup\u003e)\nstars in the observable universe - so 2^256 is, like, a really big number. AES is considered secure and uncrackable.  No\none will be able to decrypt the files without the key.\n\n### Files\n\nMost of the data LockGit will access on your filesystem will be inside of the project root, which is the location\nwhere you initialize a LockGit directory. Generally this would also be the same root directory as the Git repository.\nInside the project root folder, LockGit will create a folder called `.lockgit`, which is intended to be checked into\nsource control. All the data in this folder is either not sensitive or encrypted.\n\nThe file outside the project root that LockGit will use is a file called `.lockgit.yml` which will be placed into your home directory (`~`).\nThe keys to each vault will be stored in this file.  If you read the YAML file, you will see a key and a path for each\nvault.  The path is not important - it is only there to make it easier to identify the vault for a human.  The vault is actually identified by the UUID and the path in `.lockgit.yml` will update to the last known location of the vault.\n\n### Other safety\n\nThe following points are provided to give assurance LockGit will never send data and that future updates will be \nbackwards compatible.\n\n- All official public releases will always be able to read secrets saved by older versions, so there is never a danger\nyou will lose access to your secrets by updating.\n- LockGit has no network functionality.  It does not collect usage statistics, crash reports, your browser history, or\nanything else, so it cannot leak your key and respects your privacy.\n- LockGit will always be free and the source code is available under MIT license.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjswidler%2Flockgit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjswidler%2Flockgit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjswidler%2Flockgit/lists"}