git crypt
"Can you send me the latest .env files?"
.gitattributes
.env filter=git-crypt diff=git-crypt
sensitive.json filter=git-crypt diff=git-crypt
node_modules
...
how git crypt works
.env
sensitive.json
node_modules
...
.gitignore
gpg local setup
brew install gpg git-crypt
# Key found in Skreppa
gpg --import passbolt_private.asc
gpg add friends
gpg --import colleage-pubkey.asc
gpg --edit-key colleage@askeladden.co
gpg> trust
gpg> [choose level 5: ultimate trust]
gpg> quit
git crypt init repo
> git checkout -b feat/git-crypt
> git-crypt init
> git-crypt add-gpg-user me@askeladden.co
> git-crypt add-gpg-user petter@askeladden.co
> git-crypt add-gpg-user ...
# Legg til følgende i .gitattributes
packages/web/.env filter=git-crypt diff=git-crypt
packages/api/.env filter=git-crypt diff=git-crypt
> git add .gitattributes
> git commit -m 'Encrypt sensitive files'
# Remove file (.env) from .gitignore
> git add .env
> git commit -m 'Add encrypted files'
> git push --set-upstream origin feat/git-cryptgit crypt gotchas
Build may try to use .env and fail
Since the env file exists (encrypted) in the repo, the CI may try to load it, and fail when building a production build.
Solution:
- Add and encrypt .env.example instead.
- Add to README.md:
ln -s .env.example .envgit crypt show users
for key in .git-crypt/keys/default/0/* ; do gpg -k $(echo $(basename $key) | sed -e 's/.gpg//') ; done ;pub rsa2048 2020-09-17 [SC]
uid [ultimate] Tomas Fagerbekk (Passbolt) <tomas@askeladden.co>
sub rsa2048 2020-09-17 [E]
pub rsa2048 2020-12-01 [SC]
uid [ultimate] Colleage Colleagson <colleage@askeladden.co>
sub rsa2048 2020-12-01 [E]
Unsure who has access? Check with this line
git crypt remove user
Someone should not have access anymore?
...You must remove and re-add git-crypt completely :/