Brain Phrye

code cooking diy fiction personal photos politics reviews tools 


Secrets in git repos

One issue with infrastructure sorts of repositories is what to do with sensitive data. Keys, tokens and other secrets shouldn’t be committed to git repos, but they have to go somewhere.

In some cases you can put them in your CI/CD system and import them as variables. But that gets complicated quickly.

One way to address it is to use git crypt. It’s not a standard git extension, but it’s been around for a fair bit of time. For people you can encrypt the git crypt key with gpg keys. So different people can unlock and lock their repos. And on the CI/CD side you can get the key and send it in as a variable (you’ll need to encode it with something like base64).

It’s not perfect - some sort of secret storing service would likely be better - but it does secure the data a bit and isn’t all that hard to do. Though people really do resist using gpg/pgp.