When working with Git for version control, it’s common to encounter the need to store sensitive information such as API keys, passwords, and certificates. Protecting this data is crucial, as exposure can lead to security vulnerabilities and exploitation. A widely adopted method to secure such information is to use GNU Privacy Guard (GPG) encryption. In this tutorial, we will walk through the process of encrypting sensitive files in a Git repository using GPG.

Understanding GPG Encryption

GPG, also known as GnuPG, is a complete and free implementation of the OpenPGP standard. It allows you to encrypt and sign your data and communications. The encryption process involves creating a pair of keys – a public key, which you can safely share with others, and a private key, which you must keep secure.

Setting Up GPG

Before we use GPG to encrypt files, we must first ensure that GPG is installed on your system and that you have a key pair generated for use. You can check if GPG is installed by typing the following command in your terminal:

$ gpg --version

If GPG is not installed, you can easily install it on most systems using a package manager. For example:

# On Ubuntu/Debian
$ sudo apt-get install gnupg

# On MacOS
$ brew install gnupg

Once installed, generate a new GPG key pair with:

$ gpg --full-generate-key

Follow the on-screen prompts to set the key size, expiry, and details for your key pair. After the process, list your generated keys:

$ gpg --list-secret-keys --keyid-format LONG

Note the ID of the key you just generated as it will be used in the next steps.

Encrypting Files with GPG

To encrypt a single file using GPG, execute:

$ gpg -r [RECIPIENT_ID] --encrypt [FILE]

Replace [RECIPIENT_ID] with the ID of your GPG key and [FILE] with the file you wish to encrypt. The output will be an encrypted file with the .gpg extension.

Automating Encryption in Git

To avoid the manual process of encrypting and decrypting files, we can automate it using the git-crypt tool. This is achieved by installing git-crypt:

# On Ubuntu/Debian
$ sudo apt-get install git-crypt

# On MacOS
$ brew install git-crypt

Initialize git-crypt within your Git repository:

$ git-crypt init

Then, create a .gitattributes file in the root of your repository specifying the paths of files to encrypt:

*.secret filter=git-crypt diff=git-crypt
secrets/**/*.key filter=git-crypt diff=git-crypt

Commit the .gitattributes file, and from this point on, files matching the patterns will be automatically encrypted when committed.

Collaboration with Encrypted Files

Sharing encrypted files among collaborators involves granting them access to the GPG encryption. This is done by authorizing their GPG keys:

$ git-crypt add-gpg-user --trusted [USER_ID]

After adding a user with their GPG user ID, they can decrypt the content by cloning the repository and executing:

$ git-crypt unlock

The user will now have access to the decrypted content of the files.

Conclusion

Encrypting sensitive data in Git repositories using GPG is an effective way to maintain security while enabling controlled access among team members. By following the practices outlined in this tutorial, you can ensure that sensitive information such as API keys, passwords, and certificates are secured in your version controlled projects.

Next Article: Exploring the 'git rebase --onto' command (with examples)

Previous Article: How to undo a Git revert (reset to pre-revert state)

Series: Git & GitHub Tutorials

DevOps