[{"data":1,"prerenderedAt":652},["ShallowReactive",2],{"Categories":3,"NavIndexCategoriesCountFooter":203,"content-\u002F2019\u002F02\u002F23\u002Fusing-git-crypt\u002F":204},[4,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,68,70,71,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202],{"category":5},"System Administration",{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":27},"Software Development",{"category":5},{"category":5},{"category":5},{"category":5},{"category":27},{"category":27},{"category":5},{"category":5},{"category":5},{"category":27},{"category":5},{"category":5},{"category":5},{"category":27},{"category":27},{"category":27},{"category":27},{"category":5},{"category":5},{"category":5},{"category":27},{"category":27},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":27},{"category":5},{"category":5},{"category":27},{"category":27},{"category":27},{"category":27},{"category":5},{"category":27},{"category":27},{"category":67},"Drones & RC",{"category":69},"DIY Projects",{"category":67},{"category":72},"Photography",{"category":69},{"category":69},{"category":69},{"category":67},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":67},{"category":69},{"category":69},{"category":67},{"category":67},{"category":72},{"category":72},{"category":72},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":5},{"category":5},{"category":72},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":5},{"category":67},{"category":67},{"category":72},{"category":72},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":72},{"category":67},{"category":138},"3D Printing - Laser Cutting - CNC",{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":5},{"category":138},{"category":27},{"category":27},{"category":138},{"category":138},{"category":72},{"category":158},"Photography,3D Printing - Laser Cutting - CNC",{"category":27},{"category":27},{"category":69},{"category":27},{"category":27},{"category":27},{"category":27},{"category":5},{"category":67},{"category":5},{"category":5},{"category":27},{"category":27},{"category":27},{"category":27},{"category":27},{"category":69},{"category":27},{"category":27},{"category":27},{"category":27},{"category":181},"Home Assistant",{"category":181},{"category":72},{"category":27},{"category":27},{"category":72},{"category":138},{"category":5},{"category":72},{"category":72},{"category":138},{"category":27},{"category":181},{"category":181},{"category":72},{"category":72},{"category":72},{"category":72},{"category":72},{"category":72},{"category":72},{"category":72},191,{"id":205,"title":206,"body":207,"category":638,"date":639,"description":213,"embedImage":638,"extension":640,"image":638,"intro":641,"meta":642,"navigation":273,"path":643,"seo":644,"series":638,"sitemap":645,"stem":646,"tags":647,"__hash__":651},"content\u002F2019\u002F02\u002F23\u002Fusing-git-crypt.md","Using git-crypt",{"type":208,"value":209,"toc":629},"minimark",[210,214,224,227,230,250,439,450,454,468,471,476,484,496,500,506,539,544,550,554,560,564,567,573,576,582,585,589,604,625],[211,212,213],"p",{},"For a while now I have had two methods of dealing with sensitive data (usernames, passwords etc) in public git repositories. Neither were optimal.",[215,216,217,221],"ul",{},[218,219,220],"li",{},"Ignore the file entirely - and then pass it around outside of git",[218,222,223],{},"Encrypt the file under a different name and have a shell script that would trigger the decrypt if necessary.",[211,225,226],{},"The first one has issues about how to pass the data around.",[211,228,229],{},"An example of how the second option worked. For ansible repositories - the variables that are not to be publically available were placed in ansible vault files. But - how to handle the vault password.",[211,231,232,233,237,238,241,242,245,246,249],{},"I placed the ",[234,235,236],"code",{},"vault-password.txt"," file in ",[234,239,240],{},".gitignore",", encrypted it with GnuPG to ",[234,243,244],{},"vault-password.txt.gpg"," which was committed and then added the following shell script ",[234,247,248],{},"run-playbook.sh",":",[251,252,257],"pre",{"className":253,"code":254,"language":255,"meta":256,"style":256},"language-shell shiki shiki-themes github-dark","#\u002Fbin\u002Fbash\n\nCMD=gpg\n\nif [ ! $(type -P $CMD) ]; then\n        CMD=gpg2\nfi\n\nif [ ! $(type -P $CMD) ]; then\n        echo \"GPG not found\"\n        exit\nfi\n\nif [ ! -f vault-password.txt ]; then\n  $CMD --decrypt-files vault-password.txt.gpg\nfi\n\nansible-playbook $@\n","shell","",[234,258,259,268,275,290,295,323,334,340,345,364,373,379,384,389,406,418,423,428],{"__ignoreMap":256},[260,261,264],"span",{"class":262,"line":263},"line",1,[260,265,267],{"class":266},"sAwPA","#\u002Fbin\u002Fbash\n",[260,269,271],{"class":262,"line":270},2,[260,272,274],{"emptyLinePlaceholder":273},true,"\n",[260,276,278,282,286],{"class":262,"line":277},3,[260,279,281],{"class":280},"s95oV","CMD",[260,283,285],{"class":284},"snl16","=",[260,287,289],{"class":288},"sU2Wk","gpg\n",[260,291,293],{"class":262,"line":292},4,[260,294,274],{"emptyLinePlaceholder":273},[260,296,298,301,304,307,310,314,317,320],{"class":262,"line":297},5,[260,299,300],{"class":284},"if",[260,302,303],{"class":280}," [ ",[260,305,306],{"class":284},"!",[260,308,309],{"class":280}," $(",[260,311,313],{"class":312},"sDLfK","type",[260,315,316],{"class":312}," -P",[260,318,319],{"class":280}," $CMD) ]; ",[260,321,322],{"class":284},"then\n",[260,324,326,329,331],{"class":262,"line":325},6,[260,327,328],{"class":280},"        CMD",[260,330,285],{"class":284},[260,332,333],{"class":288},"gpg2\n",[260,335,337],{"class":262,"line":336},7,[260,338,339],{"class":284},"fi\n",[260,341,343],{"class":262,"line":342},8,[260,344,274],{"emptyLinePlaceholder":273},[260,346,348,350,352,354,356,358,360,362],{"class":262,"line":347},9,[260,349,300],{"class":284},[260,351,303],{"class":280},[260,353,306],{"class":284},[260,355,309],{"class":280},[260,357,313],{"class":312},[260,359,316],{"class":312},[260,361,319],{"class":280},[260,363,322],{"class":284},[260,365,367,370],{"class":262,"line":366},10,[260,368,369],{"class":312},"        echo",[260,371,372],{"class":288}," \"GPG not found\"\n",[260,374,376],{"class":262,"line":375},11,[260,377,378],{"class":312},"        exit\n",[260,380,382],{"class":262,"line":381},12,[260,383,339],{"class":284},[260,385,387],{"class":262,"line":386},13,[260,388,274],{"emptyLinePlaceholder":273},[260,390,392,394,396,398,401,404],{"class":262,"line":391},14,[260,393,300],{"class":284},[260,395,303],{"class":280},[260,397,306],{"class":284},[260,399,400],{"class":284}," -f",[260,402,403],{"class":280}," vault-password.txt ]; ",[260,405,322],{"class":284},[260,407,409,412,415],{"class":262,"line":408},15,[260,410,411],{"class":280},"  $CMD ",[260,413,414],{"class":312},"--decrypt-files",[260,416,417],{"class":288}," vault-password.txt.gpg\n",[260,419,421],{"class":262,"line":420},16,[260,422,339],{"class":284},[260,424,426],{"class":262,"line":425},17,[260,427,274],{"emptyLinePlaceholder":273},[260,429,431,435],{"class":262,"line":430},18,[260,432,434],{"class":433},"svObZ","ansible-playbook",[260,436,438],{"class":437},"s9osk"," $@\n",[211,440,441,442,445,446,449],{},"So - then to run a playbook instead of ",[234,443,444],{},"ansible-playbook playbookname"," it was ",[234,447,448],{},"run-playbook.sh playbookname"," and if the decrypted file was not present it would prompt for the GnuPG password for decryption otherwise it would run normally.",[451,452,453],"h2",{"id":453},"git-crypt",[211,455,456,457,459,460,463,464,467],{},"This works with a combination of a new CLI tool (",[234,458,453],{},"), a ",[234,461,462],{},".git-crypt"," directory and use of ",[234,465,466],{},".gitattributes",".",[211,469,470],{},"Let's migrate the previous example to git-crypt.",[472,473,475],"h3",{"id":474},"initialize-git-crypt-and-add-my-key","Initialize git-crypt and add my key",[251,477,482],{"className":478,"code":480,"language":481},[479],"language-text","cd REPO\ngit-crypt init\ngit-crypt add-gpg-user D4BF0A41\n","text",[234,483,480],{"__ignoreMap":256},[211,485,486,487,489,490,492,493,467],{},"This creates the ",[234,488,462],{}," directory and adds my key info. This directory needs to be under source control - and ",[234,491,453],{}," will commit the key file when you run ",[234,494,495],{},"add-gpg-user",[472,497,499],{"id":498},"setup-the-files","Setup the files",[211,501,502,503,505],{},"First I made sure I had the decrypted ",[234,504,236],{}," file in place.",[215,507,508,516,521,525,531,536],{},[218,509,510,511,513,514],{},"Edit ",[234,512,240],{}," - remove ",[234,515,236],{},[218,517,518,519],{},"Remove ",[234,520,244],{},[218,522,518,523],{},[234,524,248],{},[218,526,527,528,530],{},"Add ",[234,529,466],{}," file (see below)",[218,532,533,534],{},"And finally - add ",[234,535,236],{},[218,537,538],{},"Commit",[211,540,541,543],{},[234,542,466],{}," looks like this:",[251,545,548],{"className":546,"code":547,"language":481},[479],"vault-password.txt filter=git-crypt diff=git-crypt\n",[234,549,547],{"__ignoreMap":256},[472,551,553],{"id":552},"test","Test",[211,555,556,557,559],{},"Just push to github. Locally the ",[234,558,236],{}," file looks fine - but on github it is shown just as data - and is not readable.",[472,561,563],{"id":562},"clone-to-a-new-machine","Clone to a new machine",[211,565,566],{},"But how do we checkout a clone on a new machine?",[251,568,571],{"className":569,"code":570,"language":481},[479],"git clone URL\ncd REPO\n",[234,572,570],{"__ignoreMap":256},[211,574,575],{},"At this point - we've done the normal stuff - but the files are still encrypted.",[251,577,580],{"className":578,"code":579,"language":481},[479],"git-crypt unlock\n",[234,581,579],{"__ignoreMap":256},[211,583,584],{},"This will decrypt the working file and leave the repo setup with git-crypt.",[451,586,588],{"id":587},"installation-passwords-etc","Installation, passwords etc",[211,590,591,592,594,595,467],{},"This test was run on my mac - so I used homebrew to install ",[234,593,453],{},". The repository is ",[596,597,598],"a",{"href":598,"rel":599,"target":603},"https:\u002F\u002Fgithub.com\u002FAGWA\u002Fgit-crypt",[600,601,602],"nofollow","noopener","noreferer","_blank",[211,605,606,607,610,611,614,615,618,619,622,623,467],{},"For GnuPG I've used brew to install ",[234,608,609],{},"gnupg"," and ",[234,612,613],{},"pinentry-mac"," (which is configured in my ",[234,616,617],{},"gpg-agent.conf"," file as ",[234,620,621],{},"pinentry-program","). This was already in place before I started looking at ",[234,624,453],{},[626,627,628],"style",{},"html pre.shiki code .sAwPA, html code.shiki .sAwPA{--shiki-default:#6A737D}html pre.shiki code .s95oV, html code.shiki .s95oV{--shiki-default:#E1E4E8}html pre.shiki code .snl16, html code.shiki .snl16{--shiki-default:#F97583}html pre.shiki code .sU2Wk, html code.shiki .sU2Wk{--shiki-default:#9ECBFF}html pre.shiki code .sDLfK, html code.shiki .sDLfK{--shiki-default:#79B8FF}html pre.shiki code .svObZ, html code.shiki .svObZ{--shiki-default:#B392F0}html pre.shiki code .s9osk, html code.shiki .s9osk{--shiki-default:#FFAB70}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":256,"searchDepth":270,"depth":270,"links":630},[631,637],{"id":453,"depth":270,"text":453,"children":632},[633,634,635,636],{"id":474,"depth":277,"text":475},{"id":498,"depth":277,"text":499},{"id":552,"depth":277,"text":553},{"id":562,"depth":277,"text":563},{"id":587,"depth":270,"text":588},null,"2019-02-23 12:18 +0100","md","git-crypt can be used to safely and transparently encrypt secrets so that they can be stored in git",{},"\u002F2019\u002F02\u002F23\u002Fusing-git-crypt",{"title":206,"description":213},{"loc":643},"2019\u002F02\u002F23\u002Fusing-git-crypt",[648,649,650,453,609],"git","encryption","github","DNLGJCM-UJQUK3htEjKnrsHXv9Tu1rSgBzLNsHjPrwM",1775293009750]