git-secret - zsh-plugin to store your private data inside a git repository

zsh-users
 help / color / mirror / code / Atom feed

From: "Никита Соболев" <n.a.sobolev@gmail.com>
To: zsh-users@zsh.org
Subject: git-secret - zsh-plugin to store your private data inside a git repository
Date: Sun, 13 Mar 2016 18:48:43 +0300	[thread overview]
Message-ID: <CAO_bL1wpaxQ4+A9ScUSHFRPMCN0toD7z2hFe+mmrqqxyZ1J-3g@mail.gmail.com> (raw)

There’s a known problem in server configuration and deploying, when
you have to store your private data such as: database passwords,
application secret-keys, OAuth secret keys and so on, outside of the
git repository. Even if this repository is private, it is a security
risk to just publish them into the world wide web. What are the
drawbacks of storing them separately?

These files are not version controlled. Filenames change, locations
change, passwords change from time to time, some new information
appears, other is removed. And you can not tell for sure which version
of the configuration file was used with each commit.
When building the automated deployment system there will be one extra
step: download and place these secret-configuration files where they
need to be. So you have to maintain an extra secure server, where
everything is stored.
How does git-secret solve these problems?

git-secret encrypts files and stores them inside the git repository,
so you will have all the changes for every commit.
git-secret doesn’t require any other deploy operations rather than git
secret reveal, so it will automatically decrypt all the required
files.
What is git-secret?

git-secret is a bash tool to store your private data inside a git
repo. How’s that? Basically, it just encrypts, using gpg, the tracked
files with the public keys of all the users that you trust. So
everyone of them can decrypt these files using only their personal
secret key. Why deal with all this private-public keys stuff? Well, to
make it easier for everyone to manage access rights. There are no
passwords that change. When someone is out - just delete his public
key, reencrypt the files, and he won’t be able to decrypt secrets
anymore.

Find out more: https://sobolevn.github.io/git-secret/

next             reply	other threads:[~2016-03-13 15:48 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-03-13 15:48 Никита Соболев [this message]
2016-03-13 18:01 ` René Neumann
2016-03-13 19:39 ` Никита Соболев
2016-03-13 22:46   ` René Neumann
2016-03-14  7:25     ` Никита Соболев

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAO_bL1wpaxQ4+A9ScUSHFRPMCN0toD7z2hFe+mmrqqxyZ1J-3g@mail.gmail.com \
    --to=n.a.sobolev@gmail.com \
    --cc=zsh-users@zsh.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/zsh/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).