Installation and use of git-secret components (a mastery)

content

1. What is git-secret

2. What is gpg

3. Install git-secret

Fourth, use gpg to create a key pair

5. Use git-secret to encrypt git projects

6. View the project on gitlab

Seven, download the project on gitlab and decrypt

Eight, decrypt on macOS

install gpg

Install git-secret

export private key

 export public key

Download the private key you just exported to the macos machine

Import the downloaded private key to add to the local pool

Decrypt on the macOS side


1. What is git-secret

git-secret is used to encrypt the files in the git project to prevent the git project from being leaked to the World Wide Web.

git-secret uses gpg encryption, so it needs gpg technology. This article will introduce and install it in detail.

2. What is gpg

In 1991, programmer Phil Zimmermann developed the encryption software PGP in order to avoid government surveillance. This software is very easy to use, spread quickly, and become a must-have tool for many programmers. However, it is commercial software and cannot be used freely. So, the Free Software Foundation decided to develop a replacement for PGP, named GnuPG. That's where GPG comes in.

GPG has many uses, this article focuses on file encryption. As for email encryption, different email clients have different settings, please refer to the introduction on the Ubuntu website. The environment used in this article is the Linux command line. If you master the command line, Windows or Mac 

3. Install git-secret

  1. wget https://bintray.com/sobolevn/rpm/rpm -O bintray-sobolevn-rpm.repo
  2. sudo mv bintray-sobolevn-rpm.repo /etc/yum.repos.d/
  3. sudo yum install git-secret

Execute the above three commands and the installation is successful

Fourth, use gpg to create a key pair

View public key: gpg --list-key

View private keys: gpg --list-secret-keys

You can first execute the above two commands to query the existing public and private keys

Generate key: gpg --gen-key

Note: RSA and RSA (default) encryption method is selected by default, and then the default RSA key length is 2048. Manually enter 0 to select the default key that never expires, then enter y to confirm.

Enter your name, email address (note that it is useful to use git-secret to encrypt git projects later, to specify the key), add a comment, then enter the letter o to confirm, and then enter a password to protect the private key (the password for this private key is to use The password that needs to be entered when executing the decryption command of git-secret, only the correct password can be decrypted with the private key).

 After the key is successfully created, you can view it, and the result is as follows

5. Use git-secret to encrypt git projects

First, the git project is divided into two types

The first is to create a new git project for the first time, and the second is that the git project already exists.

The difference between the two cases is whether to execute the git init command first to initialize the git project.

If it is a cloned project, you do not need to execute git init


We show the first case here, that is, the git project is created locally for the first time and finally placed on gitlab.

git project initialization: git init

Initialize the git-secret repository: git secret init

Add the email address associated with the new gpg key pair: git secret tell <@email>

where <@email> is the email address associated with your gpg key.

Add files to be encrypted by git-secret: git secret add <files>

where <files> is the name of one or more files you want to add. If adding multiple files, separate them with spaces.

Encrypted files can still be seen at this time

After adding all required files, hide and encrypt them using the following command, which will generate a new encrypted file:

git-secret hide

At this point, it is safe to commit the changes. It is recommended that you add the git secret hide command to your pre-commit hook, otherwise you may lose your changes.

"Hidden" means that it will not be uploaded to gitlab or github.

To unhide and decrypt these files, issue the command (the decryption step has a case at the end, this command is not used here):

git-secret reveal

After executing the hide command, you will find an additional .secret file, which is the encrypted file.

At this time, we need to add all the files to the local repository, and finally submit them to gitlab or github.

git add .

git commit -m '3.28'

git remote add origin <address on gitlab>

git push -u origin master

6. View the project on gitlab

It was found that the encrypted source file was not uploaded, and the encrypted file of the file was uploaded at the same time.

Test success!

Seven, download the project on gitlab and decrypt

First clone the project on gitlab

git clone <project address on gitlab>

Decrypt the file: git secret r eveal

Note: You need to enter the password of the private key to use the private key (the password is the password entered when creating the public and private keys).

After entering the decryption command, a decrypted version of the encrypted file will be generated, which is the source file.

Eight, decrypt on macOS

Note: Since we only use it to decrypt the project in the macos computer, there is no need to generate a public-private key pair

install gpg

brew install gpg

Check if the installation is successful: gpg --version

Install git-secret

brew install git-secret

Check if the installation was successful: git secret --version

export private key

Note: The private key exported here is the private key corresponding to the public key used to encrypt this project.

gpg --armor --output < output filename> --export-secret-keys <user id>

The user id here can be the mailbox

The output filename can be freely written, but it is best to be meaningful and to use .key as the end of the filename.

Where to execute the command, the private key file will be saved to the current directory.

The armor parameter can convert it to ASCII code display.

 export public key

Note: We do not need to export the public key here , because the git-secret component uses the public key to encrypt files by default, so we only need to perform the above steps of exporting the private key.

The public key file (.gnupg/pubring.gpg) is stored in binary form, and the armor parameter can convert it to ASCII for display.

gpg --armor --output < output filename> --export <user id>

The user id here can be the mailbox

After exporting, the file just specified will be generated in the current directory to save the public key.

Download the private key you just exported to the macos machine

Download the private key to the macos machine:

Use the lrzsz tool

Just use the sz command


can also be sent using scp

scp testPublic.key [email protected]:/

Import the downloaded private key to add to the local pool

Add the downloaded private key to the local gpg management pool of the macos computer

gpg --import < downloaded private key>

 When importing, you need to enter the password of this private key. If the password is correct, the import will be successful.

Decrypt on the macOS side

git secret reveal

Note: If there are multiple private keys locally, there is no hint which private key to use, just output the private key password that encrypts the public key of this project.

 

 

 

 

 

 

 

 

 

 

 

 

Related: Installation and use of git-secret components (a mastery)