Are you storing secrets such as database credentials, API keys, etc. unencrypted in Git repositories? Stop.
To protect your secrets, do not store them anywhere unencrypted. Especially in Git repositories. Ideally, your
organization must have some vault solution where secrets can be stored and securely shared with people on a
need-to-know basis. In many small organizations, having such a central secrets management solution is still a luxury.
The need to store such secret information in Git repositories is obvious. There are a few ways in which you can
encrypt secrets. We discussed using Ansible Vault in one of the previous
In this post, we will discuss a technique to secure secrets in Git repositories using a tool called
sudo apt install age
sudo dnf install age
Generate A Key Pair
age-keygen -o key.txt
This will output something like:
Public key: age1fy42vpq9uh4r7st8px0cjh5tps0vy3ks9rak7tsxcfsn4tszdujs7f2295
The command also creates the file
key.txt. Take a backup of the key, you will need it to decrypt secrets later.
Create a sample INI config file called
This is a INI file which contains the database password. The file is a simple unencrypted text file.
Encrypt The File Using Age
age -r age1fy42vpq9uh4r7st8px0cjh5tps0vy3ks9rak7tsxcfsn4tszdujs7f2295 my-config.ini > my-config-encrypted.ini
The command writes the encrypted output to
my-config-encrypted.ini. Inspect the contents of the encrypted file.
Decrypt The File Using Age
age --decrypt -i key.txt my-config-encrypted.ini > my-config-unencrypted.ini
Inspect the contents of the file
my-config-unencrypted.ini. You should see the original file contents.
In the git repository, do not ever commit and push the unencrypted file. First encrypt the file using
then commit and push. In your
.gitignore add the paths to the unencrypted files that contain secrets.