Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/erkkah/git-private

Store private data inside a git repository.
https://github.com/erkkah/git-private

age-encryption encryption git git-addons golang secrets-management

Last synced: 22 days ago
JSON representation

Store private data inside a git repository.

Host: GitHub
URL: https://github.com/erkkah/git-private
Owner: erkkah
License: isc
Created: 2021-08-09T11:46:52.000Z (about 3 years ago)
Default Branch: main
Last Pushed: 2023-05-18T16:59:19.000Z (over 1 year ago)
Last Synced: 2024-10-05T02:35:26.854Z (about 1 month ago)
Topics: age-encryption, encryption, git, git-addons, golang, secrets-management
Language: Go
Homepage:
Size: 93.8 KB
Stars: 22
Watchers: 3
Forks: 2
Open Issues: 2
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # git-private

`git-private` lets you store private data inside a `git` repo.

A common use case is protecting files containing API keys et.c.

`git-private` encrypts your private files and keeps track of a list of public keys for users that should have access to these files. The complete state (encrypted files and public keys) is kept directly in the `git` repo, there are no external dependencies.

Encryption is provided by [age](https://github.com/FiloSottile/age), using either `age` or `ssh` key pairs.

`git-private` is a single binary tool, for easy installation and dependency tracking.

## Getting started

* [Install](#Installation) `git-private`

* In your repo, run `git private init`

* Add the key of the first user (most likely you): `git private keys add -keyfile ~/.ssh/id_rsa -pubfile ~/.ssh/id_rsa.pub`

* Add your private file: `git private add apikeys.json`

* Hide (encrypt) the added file: `git private hide -keyfile ~/.ssh/id_rsa`

Now, commit your changes. In this example, the changed files are:

* `.gitprivate/*`

* `.gitignore`

* `apikeys.json.private`

Note that:

* the `keyfile` is used to identify **you** while the `pubfile` is the public key being added

  * when the first key is added, the keyfile and pubfile belong to the same pair

* the original file, `apikeys.json` is added to `.gitignore` automatically and is not commited

* the `git-private` state lives in `.gitprivate/`

* the `hide` command encrypts all files tracked by `git-private`

* a user's private key should ***never*** be added to the git repo!

## Private key configuration

To avoid having to specify the private key file on the command line, use one of these environment variables instead:

* `GIT_PRIVATE_KEY`="private key data"

* `GIT_PRIVATE_KEYFILE`="path to private key file"

## Hiding files

Use the `add` and `remove` commands to update the list of files that should be tracked by `git-private`.

Then use the `hide` command to encrypt these files.

Hiding encrypts tracked files using the current public key list.

Be default, the original files are kept in place.

Use the `-clean` flag to remove them after encryption.

Example:

```shell

$ git private hide -keyfile ~/secret.age -clean

```

## Revealing hidden files

Use the `reveal` command to decrypt files.

This is needed after cloning a repo or when pulling changes to private files or keys.

If you don't want to reveal all files, you can specify a list of files to reveal.

## Managing keys

The `keys` command is used to list, add, remove or generate keys.

Note that except for the first key added, you need to be in the `git-private` key list to be able to access the key list.

Keys that are added as *read-only* can only be used to reveal files, which does not require access to the key list.

### `age` keys

`git-private` supports `age` keys as produced by the `age-keygen` tool.

Since `age` keys do not contain IDs, which is used to reference keys in `git-private`, the ID has to be provided using the `-id` flag when adding the key.

`age` keys can also be generated by the `keys generate` command. The tool will prompt for a passphrase, which will be used to protect the generated private key. If no passphrase is entered, the private key will be stored in clear text, just like the `age-keygen` tool does.

**Do not keep keys in the repo!**

### `ssh` keys

To simplify adoption of the tool, you can use existing `ssh` keys with `git-private`.

*Note that `ssh-agent` is not supported. Passphrases need to be entered on each encryption operation.*

## Checking status

In general, the tool refuses to overwrite existing files without specifying the `force` flag.

The tool keeps a hash of the last hidden version of a file, and uses that hash to check if currently revealed files are different.

Use the `status` command to check the status of files tracked by `git-private`.

The `status` command exits with code 0 (success) if all tracked files are in sync.

## Installation

Get pre-built binaries from [github](https://github.com/erkkah/git-private), or install using your local go toolchain:

```shell

$ go get github.com/erkkah/git-private

```

## CI/CD integration

To use `git-private` in automated build flows, create a keypair without passphrase using `git private keys generate`.

Then add the public key to the key list with read-only access (`git private keys add -readonly`...).

Use the secure variables storage feature of your CI/CD system to store the private key, and make sure `git-private` can read the key from the `GIT_PRIVATE_KEY` environment variable.

Now use the `reveal -clean` command to reveal all files needed for the build and remove the `.private` files to avoid distributing them with the build.

## Inspiration

This project is highly inspired by [git-secret](https://git-secret.io/), and attempts to provide the same functionality without dependencies to PGP and lots of shell stuff.

https://latacora.micro.blog/2019/07/16/the-pgp-problem.html

## Storage structure

All metadata lives in `.gitprivate`, file info in `files.json` and key info in `keys.dat`.

Encrypted files are stored next to the original files as `original.private`.