Re-encryption of secrets in past git history #498
Comments
|
@kfwong since git retains the content of all committed versions of the file, yes, the old versions of the files could still be decrypted with the corresponding keys. As the current README.md at https://github.com/sobolevn/git-secret/blob/dd02a6f6576aadb2ea9f9a72eb63943d72c3f653/README.md says: When someone's permission is revoked, secrets do not need to be changed with git-secret - just remove their key from the keychain using git secret killperson their@email.com, re-encrypt the files, and they won't be able to decrypt secrets anymore. If you think the user might have copied the contents of the keys when they had access, then you should also change the secrets. |
|
I though of the same and I found this issue :-) The note you added in the README @joshrabinowitz appears on the project page, but not on the project site. It would be good to have it on both, because I believe this is important information. |
The documentation states:
My question is that whether the re-encryption applies to the secrets' past history?
My understanding from the above statement is that the revocation will only applies to the commits right after the re-encryption happens, therefore a user who has access rights revoked will still be able to decrypt the data from past history.
The text was updated successfully, but these errors were encountered: