GIT-SECRET(7) - Linux man page online | Overview, conventions, and miscellany
GIT-SECRET(7) git-secret GIT-SECRET(7)
These steps cover the basic process of using git-secret:
1. Before starting, make sure you have created gpg RSA key-pair: public and secret key
identified by your email address.
2. Initialize git-secret repository by running git secret init command. .gitsecret/
folder will be created, note that .gitsecret/ folder should not be ignored
3. Add first user to the system by running git secret tell @gpg.email.
4. Now it´s time to add files you wish to encrypt inside the git-secret repository. It
can be done by running git secret add <filenames...> command. Make sure these files
are ignored, otherwise git-secret won´t allow you to add them, as these files will be
5. When done, run git secret hide all files, which you have added by git secret add com‐
mand will be encrypted with added public-keys by the git secret tell command. Now it
is safe to commit your changes. But. It´s recommended to add git secret hide command
to your pre-commit hook, so you won´t miss any changes.
6. Now decrypt files with git secret reveal command. It will ask you for your password.
And you´re done!
I want to add someone to the repository
1. Get his gpg public-key. You won´t need their secret key.
2. Import this key inside your gpg by running gpg --import KEY_NAME
3. Now add this person to the git-secret by running git secret tell @email.id
4. Reencypt the files, now they will be able to decrypt them with their secret key.
Note, that it is possible to add yourself to the system without decrypting existing files.
It will be possible to decrypt them after reencrypting them with the new keyring. So, if
you don´t want unexpected keys added, make sure to configure some server-side security
policy with the pre-receive hook.
You can configure several things to suit your workflow better. To do so, just set the
required variable to the value you need. This can be done in your shell environment file
or with the each git-secret command.
These settings are available to be changed:
· $SECRETS_GPG_COMMAND - sets the gpg alternatives, defaults to gpg. It can be changed
to gpg, gpg2, pgp, /usr/local/gpg or any other value. After doing so rerun tests to be
sure, that it won´t break anything. Tested to be working with: gpg, gpg2.
· $SECRETS_EXTENSION - sets the secret files extension, defaults to .secret. It can be
changed to any valid file extension.sobolevn March 2017 GIT-SECRET(7)