Our secret keys are saved in secrets.* files and encrypted with git-crypt.
A user who is not added to the project, will not be able to use the secrets from our project and thus this is a mandatory step to complete to be able to run the tests.
Reference: https://dev.to/heroku/how-to-manage-your-secrets-with-git-crypt-56ih
- macOS/Linux (run from terminal):
git-crypt --version - Windows (run from gitbash or powershell):
git-crypt --version
If you already see git-crypt installed in the previous step, skip.
Install git-crypt on your system:
- macOS (with homebrew)
brew install git-crypt - Windows - Download git-crypt.exe and place it here: C:\Program Files\Git\cmd\git-crypt.exe.
- Linux
sudo apt install git-crypt - Manual installation
One time activity, to be done by the very first user of this project.
Note if the project is already git crypt-ed by another user, skip this section and go to the next section.
Below are the steps that needs to be done only one time for the project by the very first user, who tries to set up git -crypt in the project repository. Run below commands to git crypt the project.
Install git crypt if not already installed.
cd repogit-crypt initgit-crypt export-key ./git-crypt-key-restpro- Save this in a central password manager - like
1password.
- Save this in a central password manager - like
- define which files to encrypt in
.gitattributesfiles.- Ex:
secrets.conf filter=git-crypt diff=git-crypt
- Ex:
- Check before committing.
git-crypt status - Ignore the key
git-crypt-key-restprofrom version control by adding it to the.gitignorefile.
Ignore git crypt key (in a real production world scenario). I am not ignoring it here since its an open source project and anyone who wants to clone the project would need this key to work with.
Ideally, if you were working in a company, this key would be preserved in a password manager such as 1password from where everyone could download this key and decrypt files.
- Push files to github
- Check if files are encrypted on github by clicking on any secrets file in Github and by verifying that text is not readable.
One time activity, to be done by every new user of this project.
Now once a user has initialized a project with git crypt
- other new users can simply ask for the key from the first user
or download it from a central password manager tool (recommended) - such as
1passwordor any other password manager tool. - They have to copy/paste this file in their cloned projects root directory.
- Then run (only one time) below command to see the decrypted files.
git-crypt unlock git-crypt-key-restpro
Refer information here, to see how this was done.
NOTE: If you are making a copy of this project and pushing it to your own GitHub repository, remember to run the below command from say (gitbash terminal)
git-crypt export-key ./git-crypt-key-restpro && cat ./git-crypt-key-restpro | base64
to get the secret and add it to GitHub secret named: GIT_CRYPT_KEY. Since this is a demo project, the key is already present in the root repository and I do not mind exposing this secret for you below. In a real life project, this will not be part of version control.
Pramod Yadav@DESKTOP-GPU5LFR MINGW64 ~/restpro (main)
$ git-crypt export-key ./git-crypt-key-restpro && cat ./git-crypt-key-restpro | base64
AEdJVENSWVBUS0VZAAAAAgAAAAAAAAABAAAABAAAAAAAAAADAAAAIODz1YHHA96CZubMzshhXpKh
SIuNpeEPbQmvIcBT8UTuAAAABQAAAEAfT0bYmgWbxK+RI/mKsJXtCq9Th77lSR0D1G/5WGfspccv
o/0VHDfAHi88Q6LmCL45TixGqFnLi5XmqzFwBjgdAAAAAA==