Installation and use of git-secret components (a mastery)
git-secret is used to encrypt the files in the git project to prevent the git project from being leaked to the World Wide Web.
git-secret uses gpg encryption, so it needs gpg technology. This article will introduce and install it in detail.
In 1991, programmer Phil Zimmermann developed the encryption software PGP in order to avoid government surveillance. This software is very easy to use, spread quickly, and become a must-have tool for many programmers. However, it is commercial software and cannot be used freely. So, the Free Software Foundation decided to develop a replacement for PGP, named GnuPG. That's where GPG comes in.
GPG has many uses, this article focuses on file encryption. As for email encryption, different email clients have different settings, please refer to the introduction on the Ubuntu website. The environment used in this article is the Linux command line. If you master the command line, Windows or Mac
- wget https://bintray.com/sobolevn/rpm/rpm -O bintray-sobolevn-rpm.repo
- sudo mv bintray-sobolevn-rpm.repo /etc/yum.repos.d/
- sudo yum install git-secret
Execute the above three commands and the installation is successful
View public key: gpg --list-key
View private keys: gpg --list-secret-keys
You can first execute the above two commands to query the existing public and private keys
Generate key: gpg --gen-key
Note: RSA and RSA (default) encryption method is selected by default, and then the default RSA key length is 2048. Manually enter 0 to select the default key that never expires, then enter y to confirm.
Enter your name, email address (note that it is useful to use git-secret to encrypt git projects later, to specify the key), add a comment, then enter the letter o to confirm, and then enter a password to protect the private key (the password for this private key is to use The password that needs to be entered when executing the decryption command of git-secret, only the correct password can be decrypted with the private key).
After the key is successfully created, you can view it, and the result is as follows
First, the git project is divided into two types
The first is to create a new git project for the first time, and the second is that the git project already exists.
The difference between the two cases is whether to execute the git init command first to initialize the git project.
If it is a cloned project, you do not need to execute git init
We show the first case here, that is, the git project is created locally for the first time and finally placed on gitlab.
git project initialization: git init
Initialize the git-secret repository: git secret init
Add the email address associated with the new gpg key pair: git secret tell <@email>
where <@email> is the email address associated with your gpg key.
Add files to be encrypted by git-secret: git secret add <files>
where <files> is the name of one or more files you want to add. If adding multiple files, separate them with spaces.
Encrypted files can still be seen at this time
After adding all required files, hide and encrypt them using the following command, which will generate a new encrypted file:
At this point, it is safe to commit the changes. It is recommended that you add the git secret hide command to your pre-commit hook, otherwise you may lose your changes.
"Hidden" means that it will not be uploaded to gitlab or github.
To unhide and decrypt these files, issue the command (the decryption step has a case at the end, this command is not used here):
After executing the hide command, you will find an additional .secret file, which is the encrypted file.
At this time, we need to add all the files to the local repository, and finally submit them to gitlab or github.
git add .
git commit -m '3.28'
git remote add origin <address on gitlab>
git push -u origin master
It was found that the encrypted source file was not uploaded, and the encrypted file of the file was uploaded at the same time.
First clone the project on gitlab
git clone <project address on gitlab>
Decrypt the file: git secret r eveal
Note: You need to enter the password of the private key to use the private key (the password is the password entered when creating the public and private keys).
After entering the decryption command, a decrypted version of the encrypted file will be generated, which is the source file.
Note: Since we only use it to decrypt the project in the macos computer, there is no need to generate a public-private key pair
brew install gpg
Check if the installation is successful: gpg --version
brew install git-secret
Check if the installation was successful: git secret --version
Note: The private key exported here is the private key corresponding to the public key used to encrypt this project.
gpg --armor --output < output filename> --export-secret-keys <user id>
The user id here can be the mailbox
The output filename can be freely written, but it is best to be meaningful and to use .key as the end of the filename.
Where to execute the command, the private key file will be saved to the current directory.
The armor parameter can convert it to ASCII code display.
Note: We do not need to export the public key here , because the git-secret component uses the public key to encrypt files by default, so we only need to perform the above steps of exporting the private key.
The public key file (.gnupg/pubring.gpg) is stored in binary form, and the armor parameter can convert it to ASCII for display.
gpg --armor --output < output filename> --export <user id>
The user id here can be the mailbox
After exporting, the file just specified will be generated in the current directory to save the public key.
Download the private key to the macos machine:
Use the lrzsz tool
Just use the sz command
can also be sent using scp
scp testPublic.key [email protected]:/
Add the downloaded private key to the local gpg management pool of the macos computer
gpg --import < downloaded private key>
When importing, you need to enter the password of this private key. If the password is correct, the import will be successful.
git secret reveal
Note: If there are multiple private keys locally, there is no hint which private key to use, just output the private key password that encrypts the public key of this project.
Related: Installation and use of git-secret components (a mastery)
- 1. What is git-secret
- 2. What is gpg
- 3. Install git-secret
- Fourth, use gpg to create a key pair
- 5. Use git-secret to encrypt git projects
- 6. View the project on gitlab
- Seven, download the project on gitlab and decrypt
- Eight, decrypt on macOS