Sling Academy
Home/DevOps/How to encrypt sensitive files in Git with GPG (API keys, passwords, etc.)

How to encrypt sensitive files in Git with GPG (API keys, passwords, etc.)

Last updated: January 27, 2024

Table of Contents

  1. Introduction
  2. Understanding GPG Encryption
  3. Setting Up GPG
  4. Encrypting Files with GPG
  5. Automating Encryption in Git
  6. Collaboration with Encrypted Files
  7. Conclusion

Introduction

When working with Git for version control, it’s common to encounter the need to store sensitive information such as API keys, passwords, and certificates. Protecting this data is crucial, as exposure can lead to security vulnerabilities and exploitation. A widely adopted method to secure such information is to use GNU Privacy Guard (GPG) encryption. In this tutorial, we will walk through the process of encrypting sensitive files in a Git repository using GPG.

Understanding GPG Encryption

GPG, also known as GnuPG, is a complete and free implementation of the OpenPGP standard. It allows you to encrypt and sign your data and communications. The encryption process involves creating a pair of keys – a public key, which you can safely share with others, and a private key, which you must keep secure.

Setting Up GPG

Before we use GPG to encrypt files, we must first ensure that GPG is installed on your system and that you have a key pair generated for use. You can check if GPG is installed by typing the following command in your terminal:

$ gpg --version

If GPG is not installed, you can easily install it on most systems using a package manager. For example:

# On Ubuntu/Debian
$ sudo apt-get install gnupg

# On MacOS
$ brew install gnupg

Once installed, generate a new GPG key pair with:

$ gpg --full-generate-key

Follow the on-screen prompts to set the key size, expiry, and details for your key pair. After the process, list your generated keys:

$ gpg --list-secret-keys --keyid-format LONG

Note the ID of the key you just generated as it will be used in the next steps.

Encrypting Files with GPG

To encrypt a single file using GPG, execute:

$ gpg -r [RECIPIENT_ID] --encrypt [FILE]

Replace [RECIPIENT_ID] with the ID of your GPG key and [FILE] with the file you wish to encrypt. The output will be an encrypted file with the .gpg extension.

Automating Encryption in Git

To avoid the manual process of encrypting and decrypting files, we can automate it using the git-crypt tool. This is achieved by installing git-crypt:

# On Ubuntu/Debian
$ sudo apt-get install git-crypt

# On MacOS
$ brew install git-crypt

Initialize git-crypt within your Git repository:

$ git-crypt init

Then, create a .gitattributes file in the root of your repository specifying the paths of files to encrypt:

*.secret filter=git-crypt diff=git-crypt
secrets/**/*.key filter=git-crypt diff=git-crypt

Commit the .gitattributes file, and from this point on, files matching the patterns will be automatically encrypted when committed.

Collaboration with Encrypted Files

Sharing encrypted files among collaborators involves granting them access to the GPG encryption. This is done by authorizing their GPG keys:

$ git-crypt add-gpg-user --trusted [USER_ID]

After adding a user with their GPG user ID, they can decrypt the content by cloning the repository and executing:

$ git-crypt unlock

The user will now have access to the decrypted content of the files.

Conclusion

Encrypting sensitive data in Git repositories using GPG is an effective way to maintain security while enabling controlled access among team members. By following the practices outlined in this tutorial, you can ensure that sensitive information such as API keys, passwords, and certificates are secured in your version controlled projects.

Next Article: Exploring the ‘git rebase –onto’ command (with examples)

Previous Article: How to set up your own private Git server on Ubuntu

Series: Git & GitHub Tutorials

DevOps

You May Also Like

  • NGINX underscores_in_headers: Explained with examples
  • How to use Jenkins CI with private GitHub repositories
  • Terraform: Understanding State and State Files (with Examples)
  • SHA1, SHA256, and SHA512 in Terraform: A Practical Guide
  • CSRF Protection in Jenkins: An In-depth Guide (with examples)
  • Terraform: How to Merge 2 Maps
  • Terraform: How to extract filename/extension from a path
  • JSON encoding/decoding in Terraform: Explained with examples
  • Sorting Lists in Terraform: A Practical Guide
  • Terraform: How to trigger a Lambda function on resource creation
  • How to use Terraform templates
  • Understanding terraform_remote_state data source: Explained with examples
  • Jenkins Authorization: A Practical Guide (with examples)
  • Solving Jenkins Pipeline NotSerializableException: groovy.json.internal.LazyMap
  • Understanding Artifacts in Jenkins: A Practical Guide (with examples)
  • Using Jenkins with AWS EC2 and S3: A Practical Guide
  • Terraform: 3 Ways to Remove Duplicates from a List
  • Terraform: How to convert a number to a string and vice versa
  • Using bcrypt() and md5() functions in Terraform