Skip to content

Latest commit

 

History

History
59 lines (37 loc) · 2.58 KB

secrets_management.md

File metadata and controls

59 lines (37 loc) · 2.58 KB
Raw

Secrets via git-secret and GnuPG

1. Generate your local GnuPG key

  • Generate your GnuPG key 4096 bits key using your odd-e.com email address with no-expiry (option 0 in dialog):
gpg --full-generate-key
  • Export your GnuPG public key:
gpg --export --armor <your_email>@odd-e.com > <your_email>_public_gpg_key.gpg
  • Email your GnuPG public key file <your_email>_public_gpg_key.gpg from above step and private message an existing git-secret collaborator

2. Add a new user's GnuPG public key to local dev machine key-ring for git-secret for team secrets collaboration

  • Add public key to local GnuPG key-ring: gpg --import <your_email>_public_gpg_key.gpg
  • Add user to git-secret managed list of users: git secret tell <your_email>@odd-e.com
  • Re-encrypt all managed secret files: git secret hide -d

3. List who are list of users managed by git-secret and allowed to encrypt/decrypt those files

  • Short list of user emails of managed users: git secret whoknows
  • List of user emails with expiration info of managed users: git secret whoknows -l

4. Removes a user from list of git-secret managed users (e.g. user should no longer be allowed access to list of secrets)

git secret killperson <user_to_be_removed_email>@odd-e.com

5. Add a new file for git-secret to manage

  • Remove sensitive file from git: git rm --cached <the_secret_file>
  • Tell git-secret to manage the file (auto add to .gitignore and update stuff in .gitsecret dir): git secret add <the_secret_file>
  • Encrypt the file (need to reveal and hide for changes in list of users in dough/secretspublic_keys dir): git secret hide

6. View diff of git-secret managed files

  • git secret changes -p <your__gpg_passphrase>

7. List all git-secret managed files

  • git secret list

8. Remove a git-secret file from git-secret management (make sure you reveal/decrypt it before doing this!!!)

  • Just remove file from git-secret management but leaves it on the filesystem: git secret remove <your__no_longer_secret_file>
  • Remove an encrypted file from git-secret management and permanently delete it from filesystem (make sure you have revealed/decrypted the file): git secret remove -c <your_no_longer_secret_file>

9. Reveal all git-secret managed encrypted files

  • Upon hitting enter/return for each decrypt command below, enter secret passphrase you used when you generated your GnuPG key-pair.
  • Decrypt secrets to local filesystem: git secret reveal
  • Decrypt secrets to stdout: git secret cat