Store private data inside a git repository.

git-private

git-private lets you store private data inside a git repo. A common use case is protecting files containing API keys et.c.

git-private encrypts your private files and keeps track of a list of public keys for users that should have access to these files. The complete state (encrypted files and public keys) is kept directly in the git repo, there are no external dependencies.

Encryption is provided by age, using either age or ssh key pairs.

git-private is a single binary tool, for easy installation and dependency tracking.

Getting started

  • Install git-private
  • In your repo, run git private init
  • Add the key of the first user (most likely you): git private keys add -keyfile ~/.ssh/id_rsa -pubfile ~/.ssh/id_rsa.pub
  • Add your private file: git private add apikeys.json
  • Hide (encrypt) the added file: git private hide -keyfile ~/.ssh/id_rsa

Now, commit your changes. In this example, the changed files are:

  • .gitprivate/*
  • .gitignore
  • apikeys.json.private

Note that:

  • the keyfile is used to identify you while the pubfile is the public key being added
    • when the first key is added, the keyfile and pubfile belong to the same pair
  • the original file, apikeys.json is added to .gitignore automatically and is not commited
  • the git-private state lives in .gitprivate/
  • the hide command encrypts all files tracked by git-private
  • a user's private key should never be added to the git repo!

Private key configuration

To avoid having to specify the private key file on the command line, use one of these environment variables instead:

  • GIT_PRIVATE_KEY="private key data"
  • GIT_PRIVATE_KEYFILE="path to private key file"

Hiding files

Use the add and remove commands to update the list of files that should be tracked by git-private. Then use the hide command to encrypt these files.

Hiding encrypts tracked files using the current public key list.

Be default, the original files are kept in place. Use the -clean flag to remove them after encryption.

Example:

$ git private hide -keyfile ~/secret.age -clean

Revealing hidden files

Use the reveal command to decrypt files. This is needed after cloning a repo or when pulling changes to private files or keys. If you don't want to reveal all files, you can specify a list of files to reveal.

Managing keys

The keys command is used to list, add, remove or generate keys.

Note that except for the first key added, you need to be in the git-private key list to be able to access the key list. Keys that are added as read-only can only be used to reveal files, which does not require access to the key list.

age keys

git-private supports age keys as produced by the age-keygen tool.

Since age keys do not contain IDs, which is used to reference keys in git-private, the ID has to be provided using the -id flag when adding the key.

age keys can also be generated by the keys generate command. The tool will prompt for a passphrase, which will be used to protect the generated private key. If no passphrase is entered, the private key will be stored in clear text, just like the age-keygen tool does.

Do not keep keys in the repo!

ssh keys

To simplify adoption of the tool, you can use existing ssh keys with git-private.

Note that ssh-agent is not supported. Passphrases need to be entered on each encryption operation.

Checking status

In general, the tool refuses to overwrite existing files without specifying the force flag. The tool keeps a hash of the last hidden version of a file, and uses that hash to check if currently revealed files are different.

Use the status command to check the status of files tracked by git-private.

The status command exits with code 0 (success) if all tracked files are in sync.

Installation

Get pre-built binaries from github, or install using your local go toolchain:

$ go get github.com/erkkah/git-private

CI/CD integration

To use git-private in automated build flows, create a keypair without passphrase using git private keys generate. Then add the public key to the key list with read-only access (git private keys add -readonly...).

Use the secure variables storage feature of your CI/CD system to store the private key, and make sure git-private can read the key from the GIT_PRIVATE_KEY environment variable.

Now use the reveal command to reveal all files needed for the build.

Inspiration

This project is highly inspired by git-secret, and attempts to provide the same functionality without dependencies to PGP and lots of shell stuff.

https://latacora.micro.blog/2019/07/16/the-pgp-problem.html

Storage structure

All metadata lives in .gitprivate, file info in files.json and key info in keys.dat. Encrypted files are stored next to the original files as original.private.

Owner
Erik Agsjö
Erik Agsjö
https://github.com/erkkah/git-private
Similar Resources

commit/branch/workdir explorer for git

gitin gitin is a commit/branch/status explorer for git gitin is a minimalist tool that lets you explore a git repository from the command line. You ca

Dec 31, 2022

A command-line tool that makes git easier to use with GitHub.

hub is a command line tool that wraps git in order to extend it with extra features and commands that make working with GitHub easier. For an official

Jan 1, 2023

A tool to monitor git repositories and automatically pull & push changes

git-o-matic A tool to monitor git repositories and automatically pull & push changes Installation Packages & Binaries Arch Linux: gitomatic Binaries f

Dec 20, 2022

SQL interface to git repositories, written in Go. https://docs.sourced.tech/gitbase

gitbase gitbase, is a SQL database interface to Git repositories. This project is now part of source{d} Community Edition, which provides the simplest

Dec 25, 2022

Fast and powerful Git hooks manager for any type of projects.

Fast and powerful Git hooks manager for any type of projects.

Lefthook The fastest polyglot Git hooks manager out there Fast and powerful Git hooks manager for Node.js, Ruby or any other type of projects. Fast. I

Jan 4, 2023

Implementation of git internals from scratch in Go language

Implementation of git internals from scratch in Go language

This project is part of a learning exercise to implement a subset of "git" commands. It can be used to create and maintain git objects, such as blobs, trees, commits, references and tags.

Nov 27, 2022

A Simple and Comprehensive Vulnerability Scanner for Container Images, Git Repositories and Filesystems. Suitable for CI

A Simple and Comprehensive Vulnerability Scanner for Container Images, Git Repositories and Filesystems. Suitable for CI

A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Abstract Trivy (tri pronounced like trigger, vy

Jan 9, 2023

go mod vendor lets you check in your dependencies to git, but that's both bloaty (for developers) and tedious (remembering to update it).

go-mod-archiver Afraid of being unable to build historical versions of your Go program? go mod vendor lets you check in your dependencies to git, but

Dec 1, 2022

Quickly clone git repositories into a nested folders like GOPATH.

cl cl clones git repositories into nested folders like GOPATH and outputs the path of the cloned directory. Example: cl https://github.com/foo/bar Is

Nov 30, 2022
Related tags
Git git golang encryption git-addons secrets-management age-encryption
ReGit: A Tiny Git-Compatible Git Implementation written in Golang

ReGit is a tiny Git implementation written in Golang. It uses the same underlying file formats as Git. Therefore, all the changes made by ReGit can be checked by Git.

Oct 31, 2022
A Git RPC service for handling all the git calls made by GitLab
 A Git RPC service for handling all the git calls made by GitLab

Quick Links: Roadmap | Want to Contribute? | GitLab Gitaly Issues | GitLab Gitaly Merge Requests | Gitaly is a Git RPC service for handling all the gi

Nov 13, 2021
A simple cli tool for switching git user easily inspired by Git-User-Switch
 A simple cli tool for switching git user easily inspired by Git-User-Switch

gitsu A simple cli tool for switching git user easily inspired by Git-User-Switch Installation Binary releases are here. Homebrew brew install matsuyo

Dec 31, 2022
Removes unnecessarily saved git objects to optimize the size of the .git directory.

Git Repo Cleaner Optimizes the size of the .git directory by removing all of the files that are unnecessarily-still-saved as part of the git history.

Mar 24, 2022
Gum - Git User Manager (GUM) - Switch between git user profiles
 Gum - Git User Manager (GUM) - Switch between git user profiles

Git User Manager (GUM) Add your profile info to config.yaml Build project: go bu

Feb 14, 2022
Git-now-playing - Git commits are the new AIM status messages

git-now-playing git-now-playing is an attempt to bring some of the panache of th

Apr 4, 2022
A single Git repository that holds two microservices (Python and GO)

A single Git repository that holds two microservices (Python and GO)

Nov 19, 2021
Sync tags in your git repository and a changelog in Keep a Changelog format with releases of your GitLab project.

Automatic GitLab releases Sync tags in your git repository and a changelog in Keep a Changelog format with releases of your GitLab project. Features:

Nov 12, 2022
Gogs is a painless self-hosted Git service
 Gogs is a painless self-hosted Git service

Gogs - A painless self-hosted Git service 简体中文 ?? Vision The Gogs (/gɑgz/) project aims to build a simple, stable and extensible self-hosted Git servi

Jan 9, 2023
A highly extensible Git implementation in pure Go.
 A highly extensible Git implementation in pure Go.

go-git is a highly extensible git implementation library written in pure Go. It can be used to manipulate git repositories at low level (plumbing) or

Jan 8, 2023