Git-secret – store private data in a Git repo (opens in new tab)

(coderwall.com)

211 pointsbitsweet9y ago70 comments

70 comments

This project scares me because it helps foster a bad practice -- keeping secrets in a repo. You really shouldn't be keeping secrets in the repo.

You should be using a secrets service that is designed for such a purpose, like Hashicorp's Vault[0], so that you never have to keep a secret in the code.

[0] https://github.com/hashicorp/vault

paulddraper9y ago

Storing secrets in a repository is not bad.

Storing secrets in a repository with non-secrets is bad, because access is pre-repo, and it would hurt your ability to limit secret access to the smallest possible audience.

jedberg9y ago

You are technically correct, the best kind of correct.

However, storing secrets in a git repo is still not as good as a purpose built store, because the access control on git is not fine grained enough.

1 more reply

jfroma9y ago

Agree, also check out credstash[0], a very good and secure solution if you are running on AWS. Credstash is an small utility that encrypt with KMS and store the ciphertext of the datakey and secret on Dynamodb.

I configure my application roles to be able to decrypt with the master key and I restrict what ciphertext they can read from Dynamodb.

[0] https://github.com/fugue/credstash

Kinnard9y ago

Perhaps it's an alternative practice/behavior rather than a "bad" practice?

tptacek9y ago

It's a bad practice, because git makes keys practically irrevocable. It's not enough to rotate encryption keys, because the old ciphertexts are in the git history; you have to rotate the underlying secrets as well (people don't do this and shouldn't have to).

Don't store encrypted secrets in git if you can avoid it.

8 more replies

xanderstrike9y ago

In addition to what others are saying, for many types of secrets (API credentials, salts, keys, etc.) it's good practice to make them different in production vs development. This has the advantage of keeping your production secrets in the domain of ops, and your developers never even need to have them.

This is built on the assumption that you only ever have one set of secrets, or that you don't mind distributing your prod secrets to your engineers, both of which I would consider to be bad practice.

0xmohit9y ago

Another option worth considering may be Knox[0] by Pinterest.

> Knox is a service for storing and rotation of secrets, keys, and passwords used by other services.

[0] https://github.com/pinterest/knox

secfirstmd9y ago

On a sidenote: anyone know how Vault Project built this: it's very cool

https://www.vaultproject.io/#/demo/0

aeontech9y ago

Nice work!

I've been using https://github.com/AGWA/git-crypt until now, always good to have more alternatives.

Can you tell us what is different about your approach with this project?

ioquatix9y ago

I've started using git-crypt for deploying configuration. It keeps things simple and ensures that keys are not in plain text on bit-bucket which is basically good enough right now.

Confiks9y ago

I've been using ansible-vault to solve this problem in our infrastructure repository. A symmetric vault key is encrypted using gpg, and Ansible's vault_password_file is set to to an executable shell script containing `gpg --batch --use-agent --descrypt vault_key.gpg`.

Very specific to Ansible, but works fine. It's a shame only files containing variables (we're using group_vars) can be encrypted, and not arbitrary files or templates.

perlgeek9y ago

To be a bit pedantic, all .yml files can be encrypted with ansible-vault, so also playbooks and roles.

There are two things currently that bother me about ansible-vault. The first is that the 'edit' command write a completely new file even if I didn't change anything. And the second is that the diffs in git become useless. I'd love to have a special diff driver for ansible-vault encrypted files that decrypts before diffing when the secret is available.

Deinumite9y ago

If you use show instead of edit it doesn't re-encrypt the file.

Agreed on the useless diffs however, it makes reviewing pull requests or changes much harder.

1 more reply

RRRA9y ago

Uhm, for me edit brings up vi, I then :q and the file's modification date didn't change?

rgj9y ago

More things about Ansible vault that are a shame:

- no file encryption, only YML

- no separate values, only entire file

- OMG it's s...l...o...w...

- password based instead of certs

- only one password

- password cannot even stored in an env var

More: http://jpmens.net/2014/02/22/my-thoughts-on-ansible-s-vault/

RRRA9y ago

A good trick I found was to have a file with your values assigned as vault_something and then in the clear version have the variable assigned as: something: "{{ vault_something }}"

But yeah, the "only one password" is the biggest pain for me...

jcassee9y ago

Actually, you can make the vault password file an executable shell script containing

echo "$ANSIBLE_VAULT_PASSWORD"

jlgaddis9y ago

re: your last bullet point, I put my password as the only thing in a text file, then point the environment variable to that. Same effect, although it is one (small) extra step.

cs7029y ago

Another tool worth looking into is git-gpg, which allows you to store encrypted git repositories on third-party / potentially insecure servers, but unlike this tool it stores all changes to source files as compressible textual deltas (a key reason for using git in the first place). The repository is encrypted remotely but the local version has no encrypted blobs inside.

https://github.com/rustyio/git-gpg

Other benefits include architectural simplicity and low footprint: it consists of a single Python script that you add to your executable path.

TheHippo9y ago

Similar project, that I personally use quite often: https://github.com/StackExchange/blackbox

YesThatTom29y ago

I'm glad that blackbox is gaining in popularity. Future directions for the project are listed here: https://github.com/StackExchange/blackbox/blob/master/Versio...

y0ghur7_xxx9y ago

This should really work with ssh public/private keys¹. Public keys are probably already on the box the git server runs on, and users already have them generated to access git - no need to generate separate gpg keys.

If you have a github account the script could also get the pubkey directly from the github api...

¹http://superuser.com/questions/576506/how-to-use-ssh-rsa-pub...

bencord09y ago

SSH keys aren't really used for encryption. Typical ssh uses some kind of DH construct, with the ssh keypairs just used for authentication.

However, stackexchange is the right place to go if you want to use asymmetric secret storage in git.

https://github.com/stackexchange/blackbox

talaketu9y ago

See https://www.netmeister.org/blog/sharing-secrets-using-ssh-ke... and https://github.com/jschauma/jass

adamkochanowicz9y ago

I used to put .gpg files in my repos that stored sensitive information like database passwords and such.

I don't do that anymore. The main problem as I saw it was that you basically liberate your security to an environment you can't monitor or send rejections to (if someone downloads your gpg file). Compare this to an ssh server which affords both those abilities.

perlgeek9y ago

> When someone is out - just delete his public key, reencrypt the files, and he won’t be able to decrypt secrets anymore.

But they still can encrypt old versions stored in git, no? Do you change all secrets when somebody leaves the team/company? I guess that'd be best practice, but I have no idea how often that's done out there.

stouset9y ago

Yes, they can still decrypt old versions.

Storing secret keys, API keys, etc. in your git repo is a terrible idea and an antipattern any way you slice it. Keep your secrets out of version control.

The quoted advice is extremely bad. If someone who has access to a secret of any importance leaves your team, the only acceptable response is to rotate the secret.

Tehnix9y ago

Yes, he can still decrypt the secrets he had access to before his key was revoked, just as he could have written down those secrets before he was fired. There is no difference really, and the way to solve that is the same for both cases - you change your secrets after such an event.

gechr9y ago

A word of warning to those considering using this. While I completely understand why people might want to encrypt/decrypt files within their public Git repositories, doing so doesn't come for free.

As Junio C Hamano explains more eloquently and in greater depth here[1], one thing to bear in mind with this (and similar) tools is that they store the managed files as binary blobs, regardless of their original format, meaning that a change to the source file of even a single bit will result in an entirely different uncompressed blob being stored, rather than a compressible textual delta.

[1] http://article.gmane.org/gmane.comp.version-control.git/1132...

apetresc9y ago

While technically true, the type of data this extension is meant for (small configuration snippets containing sensitive credentials) are both small and rarely-changing. A couple extra bytes in the index won't be a very big deal.

runholm9y ago

Why would someone change a single bit in their key anyway? If keys are replaced, the new key should be generated independent from the old ones.

markcerqueira9y ago

I can imagine a great number of use cases involve encrypting an access key or password making this not a big issue, right?

nsaje9y ago

At Zemanta, we developed py-secretcrypt[0] and go-secretcrypt[1] for keeping secrets encrypted with Amazon KMS (Key Management Service) in our repos. They are then decrypted on the fly by the application.

Access control is managed through AWS KMS key policies, with EC2 instances running the applications having permissions to decrypt the secrets.

Blog post about this will follow soon.

[0] https://github.com/Zemanta/py-secretcrypt

[1] https://github.com/Zemanta/go-secretcrypt

tshadwell9y ago

See also: https://github.com/StackExchange/blackbox "blackbox by StackExchange"

ericfrederich9y ago

Hmm... adding access controls to Git? I'm not sure how I feel about this. I like how Git is low level and stays away from all of that stuff leaving it up to wrappers like GitLab, GitHub, Gerrit, etc.

When you remove someone from the list of users does it have to go and re-write history? Isn't that a big no-no in Git?

apetresc9y ago

I have nothing to do with this project, but I think the answer to your question is no - you don't have to re-write history. If the removed party had access to previous revisions signed with his key, they're already "compromised" as far as security is concerned. Whether or not you rewrite history, he already has it.

The re-encryption they're referring to is presumably just to protect future revisions (since you would ideally rotate all keys they had access to, git-secret or not, and publish new ones right away).

passive9y ago

If you need to do this, I would recommend looking at Transcrypt: https://github.com/elasticdog/transcrypt

beefsack9y ago

If all you have is a hammer, everything looks like a nail.

fibo9y ago

I am using keybase.io to store soft secrets like the coveralls.io token. Let me share my simple use case: http://g14n.info/2014/07/my-keybase-experience/

marcosnils9y ago

Some cross platform tool that we've developed for our company which has some nice features

https://github.com/franela/vault

miles_matthias9y ago

I've been using https://github.com/ahoward/sekrets in private repos for years. Great tool.

I definitely agree this should be used with heavy caution and only in private repos.

stouset9y ago

This should not even be used in private repos unless the only person who will ever access the repo is you.

seletskiy9y ago

Recently, I've wrote simple tool for storing secrets like passwords in public Git repos using AES cypher: https://github.com/seletskiy/carcosa/

j / k navigate · click thread line to collapse

70 comments

jedberg9y ago

This project scares me because it helps foster a bad practice -- keeping secrets in a repo. You really shouldn't be keeping secrets in the repo.

You should be using a secrets service that is designed for such a purpose, like Hashicorp's Vault[0], so that you never have to keep a secret in the code.

[0] https://github.com/hashicorp/vault

paulddraper9y ago

Storing secrets in a repository is not bad.

Storing secrets in a repository with non-secrets is bad, because access is pre-repo, and it would hurt your ability to limit secret access to the smallest possible audience.

jedberg9y ago

You are technically correct, the best kind of correct.

However, storing secrets in a git repo is still not as good as a purpose built store, because the access control on git is not fine grained enough.

1 more reply

jfroma9y ago

I configure my application roles to be able to decrypt with the master key and I restrict what ciphertext they can read from Dynamodb.

[0] https://github.com/fugue/credstash

Kinnard9y ago

Perhaps it's an alternative practice/behavior rather than a "bad" practice?

tptacek9y ago

Don't store encrypted secrets in git if you can avoid it.

8 more replies

xanderstrike9y ago

This is built on the assumption that you only ever have one set of secrets, or that you don't mind distributing your prod secrets to your engineers, both of which I would consider to be bad practice.

0xmohit9y ago

Another option worth considering may be Knox[0] by Pinterest.

> Knox is a service for storing and rotation of secrets, keys, and passwords used by other services.

[0] https://github.com/pinterest/knox

secfirstmd9y ago

On a sidenote: anyone know how Vault Project built this: it's very cool

https://www.vaultproject.io/#/demo/0

aeontech9y ago

Nice work!

I've been using https://github.com/AGWA/git-crypt until now, always good to have more alternatives.

Can you tell us what is different about your approach with this project?

ioquatix9y ago

I've started using git-crypt for deploying configuration. It keeps things simple and ensures that keys are not in plain text on bit-bucket which is basically good enough right now.

Confiks9y ago

Very specific to Ansible, but works fine. It's a shame only files containing variables (we're using group_vars) can be encrypted, and not arbitrary files or templates.

perlgeek9y ago

To be a bit pedantic, all .yml files can be encrypted with ansible-vault, so also playbooks and roles.

Deinumite9y ago

If you use show instead of edit it doesn't re-encrypt the file.

Agreed on the useless diffs however, it makes reviewing pull requests or changes much harder.

1 more reply

RRRA9y ago

Uhm, for me edit brings up vi, I then :q and the file's modification date didn't change?

rgj9y ago

More things about Ansible vault that are a shame:

- no file encryption, only YML

- no separate values, only entire file

- OMG it's s...l...o...w...

- password based instead of certs

- only one password

- password cannot even stored in an env var

More: http://jpmens.net/2014/02/22/my-thoughts-on-ansible-s-vault/

RRRA9y ago

A good trick I found was to have a file with your values assigned as vault_something and then in the clear version have the variable assigned as: something: "{{ vault_something }}"

But yeah, the "only one password" is the biggest pain for me...

jcassee9y ago

Actually, you can make the vault password file an executable shell script containing

echo "$ANSIBLE_VAULT_PASSWORD"

jlgaddis9y ago

re: your last bullet point, I put my password as the only thing in a text file, then point the environment variable to that. Same effect, although it is one (small) extra step.

cs7029y ago

https://github.com/rustyio/git-gpg

Other benefits include architectural simplicity and low footprint: it consists of a single Python script that you add to your executable path.

TheHippo9y ago

Similar project, that I personally use quite often: https://github.com/StackExchange/blackbox

YesThatTom29y ago

I'm glad that blackbox is gaining in popularity. Future directions for the project are listed here: https://github.com/StackExchange/blackbox/blob/master/Versio...

y0ghur7_xxx9y ago

If you have a github account the script could also get the pubkey directly from the github api...

¹http://superuser.com/questions/576506/how-to-use-ssh-rsa-pub...

bencord09y ago

SSH keys aren't really used for encryption. Typical ssh uses some kind of DH construct, with the ssh keypairs just used for authentication.

However, stackexchange is the right place to go if you want to use asymmetric secret storage in git.

https://github.com/stackexchange/blackbox

talaketu9y ago

See https://www.netmeister.org/blog/sharing-secrets-using-ssh-ke... and https://github.com/jschauma/jass

adamkochanowicz9y ago

I used to put .gpg files in my repos that stored sensitive information like database passwords and such.

perlgeek9y ago

> When someone is out - just delete his public key, reencrypt the files, and he won’t be able to decrypt secrets anymore.

stouset9y ago

Yes, they can still decrypt old versions.

Storing secret keys, API keys, etc. in your git repo is a terrible idea and an antipattern any way you slice it. Keep your secrets out of version control.

The quoted advice is extremely bad. If someone who has access to a secret of any importance leaves your team, the only acceptable response is to rotate the secret.

Tehnix9y ago

gechr9y ago

A word of warning to those considering using this. While I completely understand why people might want to encrypt/decrypt files within their public Git repositories, doing so doesn't come for free.

[1] http://article.gmane.org/gmane.comp.version-control.git/1132...

apetresc9y ago

runholm9y ago

Why would someone change a single bit in their key anyway? If keys are replaced, the new key should be generated independent from the old ones.

markcerqueira9y ago

I can imagine a great number of use cases involve encrypting an access key or password making this not a big issue, right?

nsaje9y ago

Access control is managed through AWS KMS key policies, with EC2 instances running the applications having permissions to decrypt the secrets.

Blog post about this will follow soon.

[0] https://github.com/Zemanta/py-secretcrypt

[1] https://github.com/Zemanta/go-secretcrypt

tshadwell9y ago

See also: https://github.com/StackExchange/blackbox "blackbox by StackExchange"

ericfrederich9y ago

Hmm... adding access controls to Git? I'm not sure how I feel about this. I like how Git is low level and stays away from all of that stuff leaving it up to wrappers like GitLab, GitHub, Gerrit, etc.

When you remove someone from the list of users does it have to go and re-write history? Isn't that a big no-no in Git?

apetresc9y ago

The re-encryption they're referring to is presumably just to protect future revisions (since you would ideally rotate all keys they had access to, git-secret or not, and publish new ones right away).

passive9y ago

If you need to do this, I would recommend looking at Transcrypt: https://github.com/elasticdog/transcrypt

beefsack9y ago

If all you have is a hammer, everything looks like a nail.

fibo9y ago

I am using keybase.io to store soft secrets like the coveralls.io token. Let me share my simple use case: http://g14n.info/2014/07/my-keybase-experience/

marcosnils9y ago

Some cross platform tool that we've developed for our company which has some nice features

https://github.com/franela/vault

miles_matthias9y ago

I've been using https://github.com/ahoward/sekrets in private repos for years. Great tool.

I definitely agree this should be used with heavy caution and only in private repos.

stouset9y ago

This should not even be used in private repos unless the only person who will ever access the repo is you.

seletskiy9y ago

Recently, I've wrote simple tool for storing secrets like passwords in public Git repos using AES cypher: https://github.com/seletskiy/carcosa/

j / k navigate · click thread line to collapse