March 4, 2020 | Last updated: March 9, 2020
CI/CD and process automation require working with sensitive data such as server credentials, keys to the API's of external providers, or keystore files used to sign mobile apps before uploading them to the online store. Usually, such data is stored within environment variables defined in the CI/CD tool. In some cases, though, it may be more convenient to store it in the repository – managing changes is easier, as well as sharing and browsing history.
However, once you decide to keep the data in the repository, it is strongly recommended to secure it with some form of encryption.
In this guide, we will describe how to do it with git-crypt and how to configure a pipeline that will automatically encrypt and decrypt files upon every push.
In short, git-crypt is a tool that allows you to encrypt and decrypt files with GPG keys in the background of Git commands. Once the tool is properly configured, the files are encrypted on push to and decrypted when fetched from the remote server.
brew install git-crypt brew install gpg$$
apt-get install -y git-crypt sudo apt-get install gnupg$$
First, create a new directory and add two files:
mkdir myrepo cd myrepo echo “everybody can read it” > README.md echo “this file has sensitive data” > secrets.txt$$$$
After that, initialize Git and git-crypt:
git init git-crypt init$$
In the directory with the sensitive data, add a
.gitattributes file and define which files should be encrypted. In our case, this will be
secrets.txt filter=git-crypt diff=git-crypt
Create new definitions for each file. You can also add patterns in the following way:
*.key filter=git-crypt diff=git-crypt secretdir/** filter=git-crypt diff=git-crypt
A good practice is to add a line to prevent encrypting the
.gitattributes file itself:
.gitattributes !filter !diff`
To check if the defined conditions work, run the following:
git-crypt status -e$
From now on the files will be automatically encrypted on every push, i.e. you will be able to read and edit them in your local working copy, but on the remote and in other working copies the files will be encrypted.
Create a new repository in your Git provider and push it to the remote:
git add . git commit -m ‘init commit’ git remote add origin REMOTE_URL git push master$$$$
Once you open
secrets.txt on the remote, you will see that it’s an encrypted binary file:
Secrets.txt in repository
If an unauthorized person (i.e. without a proper GPG key) clones the repository, the files in their working copy will also be encrypted. If you want your teammates to view and edit those files, you can do one of two things:
- Share the encryption key with them (symmetric key).
- Add their GPG key to authorized keys.
Begin with exporting the key that you used for encryption:
git-crypt export-key path/where/key/should/be/saved$
The exported key should be passed to your team members in a secure way. They can now decrypt the repository by running:
git-crypt unlock path/to/key$
git-crypt lock. All newly fetched changes will also be decrypted automatically.
First, the person we want to authorize needs to create their own GPG key. While creating it, they will be asked to enter an e-mail address:
After that, they need to list the keys and copy the key ID:
The last step is printing the key and passing it to the admin that will be granting the permissions to git-crypt:
gpg --export --armor $KEY_ID$
Now, the admin that grants the git-crypt rights has to save the GPG key on their disk and import it with the following command:
gpg --import /path/to/file$
After importing it, they need to add the key as trusted to git-crypt in the repository:
git-crypt add-gpg-user --trusted $EMAIL$
After committing changes to the repository, the new user is now able to decrypt the files in their working copy by running:
Secret data, such as config files, API keys, or certificates, needs to be decrypted during the application deployment. Usually, this is done using the symmetric key, the process looking exactly as we described it before.
All of the above can be automated with a properly configured delivery pipeline that will decrypt the files, build and deploy the application, and then encrypt the files back again on every execution:
The decryption is performed with symmetric key uploaded to the Git-crypt unlock action. The action uses the uploaded symmetric key to decipher the files in the pipeline filesystem:
Once all tasks are performed, you can secure the files once again with Git-crypt lock.
Customer Success Manager
With Buddy even the most complicated CI/CD workflows take minutes to create
Sign up for Buddy CI/CDStart a free trial