git-secret - zsh-plugin to store your private data inside a git repository

git-secret - zsh-plugin to store your private data inside a git repository

[Никита Соболев]

There’s a known problem in server configuration and deploying, when
you have to store your private data such as: database passwords,
application secret-keys, OAuth secret keys and so on, outside of the
git repository. Even if this repository is private, it is a security
risk to just publish them into the world wide web. What are the
drawbacks of storing them separately?

These files are not version controlled. Filenames change, locations
change, passwords change from time to time, some new information
appears, other is removed. And you can not tell for sure which version
of the configuration file was used with each commit.
When building the automated deployment system there will be one extra
step: download and place these secret-configuration files where they
need to be. So you have to maintain an extra secure server, where
everything is stored.
How does git-secret solve these problems?

git-secret encrypts files and stores them inside the git repository,
so you will have all the changes for every commit.
git-secret doesn’t require any other deploy operations rather than git
secret reveal, so it will automatically decrypt all the required
files.
What is git-secret?

git-secret is a bash tool to store your private data inside a git
repo. How’s that? Basically, it just encrypts, using gpg, the tracked
files with the public keys of all the users that you trust. So
everyone of them can decrypt these files using only their personal
secret key. Why deal with all this private-public keys stuff? Well, to
make it easier for everyone to manage access rights. There are no
passwords that change. When someone is out - just delete his public
key, reencrypt the files, and he won’t be able to decrypt secrets
anymore.

Find out more: https://sobolevn.github.io/git-secret/

Re: git-secret - zsh-plugin to store your private data inside a git repository

[René Neumann]

Hi Nikita,

this sounds like a nice tool. What are the differences to similar tools
like pass (https://www.passwordstore.org/) and/or ctmg (
https://git.zx2c4.com/ctmg/about/ ) ?

- René

P.S.: I must admit, your tool has by far the coolest subcommand names :D

Re: git-secret - zsh-plugin to store your private data inside a git repository

[Никита Соболев]

I had a hard time figuring out how to send a reply to the mailing
list. So, I hope I will post it to the same thread.

René, thanks for your interest. It is not quite the same as the tools
you have listed. It's more like blackbox
(https://github.com/StackExchange/blackbox). You can even find it in
the 'Alternatives' section.

There several advantages in usability, while following the same
encryption algorithm.

In other words, git-secret does not store passwords or anything, but
it helps to organize and control any sensitive data inside a git-repo
to be accessible by the whole dev-team.

2016-03-13 18:48 GMT+03:00 Никита Соболев <n.a.sobolev@gmail.com>:
> There’s a known problem in server configuration and deploying, when
> you have to store your private data such as: database passwords,
> application secret-keys, OAuth secret keys and so on, outside of the
> git repository. Even if this repository is private, it is a security
> risk to just publish them into the world wide web. What are the
> drawbacks of storing them separately?
>
> These files are not version controlled. Filenames change, locations
> change, passwords change from time to time, some new information
> appears, other is removed. And you can not tell for sure which version
> of the configuration file was used with each commit.
> When building the automated deployment system there will be one extra
> step: download and place these secret-configuration files where they
> need to be. So you have to maintain an extra secure server, where
> everything is stored.
> How does git-secret solve these problems?
>
> git-secret encrypts files and stores them inside the git repository,
> so you will have all the changes for every commit.
> git-secret doesn’t require any other deploy operations rather than git
> secret reveal, so it will automatically decrypt all the required
> files.
> What is git-secret?
>
> git-secret is a bash tool to store your private data inside a git
> repo. How’s that? Basically, it just encrypts, using gpg, the tracked
> files with the public keys of all the users that you trust. So
> everyone of them can decrypt these files using only their personal
> secret key. Why deal with all this private-public keys stuff? Well, to
> make it easier for everyone to manage access rights. There are no
> passwords that change. When someone is out - just delete his public
> key, reencrypt the files, and he won’t be able to decrypt secrets
> anymore.
>
> Find out more: https://sobolevn.github.io/git-secret/

Re: git-secret - zsh-plugin to store your private data inside a git repository

[René Neumann]

Am 13.03.2016 um 20:39 schrieb Никита Соболев:
> I had a hard time figuring out how to send a reply to the mailing
> list. So, I hope I will post it to the same thread.
> 
> René, thanks for your interest. It is not quite the same as the tools
> you have listed. It's more like blackbox
> (https://github.com/StackExchange/blackbox). You can even find it in
> the 'Alternatives' section.
> 
> There several advantages in usability, while following the same
> encryption algorithm.
> 
> In other words, git-secret does not store passwords or anything, but
> it helps to organize and control any sensitive data inside a git-repo
> to be accessible by the whole dev-team.

Could you still elaborate on the differences? Because pass, for
instance, while being primarily aimed at storing passwords, in the end
"all it does" is encrypting text-files via GPG and storing them in git.
Whether you put actual passwords in it or private keys to ssl
certificates or what ever is entirely up to the user.

So, as I'm already using pass, what extra advantages does your tool
offer? (That's an honest question...)

Also: In what form is this related to zsh?

- René

Re: git-secret - zsh-plugin to store your private data inside a git repository

[Никита Соболев]

I guess 'pass' was made for a single user. But 'git-secret' was made
for multiple people. So you can invite someone to share your encrypted
files and easily remove them. Also, I have noticed that 'pass' stores
the encrypted files in the separate repository. Well, that's an
arguable way to go. It has some benefits like: code-repository and
pass-repository may have different access rights, different people
involved. But there's a lack in consistency when you have two separate
repositories.

And about the zsh part: it is made to be a compatible with zsh. You
can install it via antigen.

2016-03-14 1:46 GMT+03:00 René Neumann <lists@necoro.eu>:
> Am 13.03.2016 um 20:39 schrieb Никита Соболев:
>> I had a hard time figuring out how to send a reply to the mailing
>> list. So, I hope I will post it to the same thread.
>>
>> René, thanks for your interest. It is not quite the same as the tools
>> you have listed. It's more like blackbox
>> (https://github.com/StackExchange/blackbox). You can even find it in
>> the 'Alternatives' section.
>>
>> There several advantages in usability, while following the same
>> encryption algorithm.
>>
>> In other words, git-secret does not store passwords or anything, but
>> it helps to organize and control any sensitive data inside a git-repo
>> to be accessible by the whole dev-team.
>
> Could you still elaborate on the differences? Because pass, for
> instance, while being primarily aimed at storing passwords, in the end
> "all it does" is encrypting text-files via GPG and storing them in git.
> Whether you put actual passwords in it or private keys to ssl
> certificates or what ever is entirely up to the user.
>
> So, as I'm already using pass, what extra advantages does your tool
> offer? (That's an honest question...)
>
> Also: In what form is this related to zsh?
>
> - René