DEV Community

Rodel Talampas
Rodel Talampas

Posted on

Blackbox - Secrets amongst your code

One of the major concerns amongst developers is how to store shared secrets. Storing secrets in a config file along with your source code is problematic as it can compromise privacy. Storing it outside without proper process or documentation can tend to be forgotten (not saying this is not good as using SAAS tools like Vault is the way to go). But in case you have a limited budget and limited capability, using GPG is the way to go. Here comes Blackbox.

For any secrets you want to store alongside the source code, we should limit the risk of intentional or accidental sharing by encrypting secrets.

You should encrypt these data in your repositories:

SSH keys
Private keys
Usernames and passwords

Installation
Blackbox is a GPG-based encryption tool for Git. Assuming Homebrew is installed in a mac or linux machine, the command below is sufficient. Otherwise look for the Blackbox link above for more information

brew install blackbox
Enter fullscreen mode Exit fullscreen mode

GPG Keys
GnuPG, also known as GPG, is a free, full implementation of the OpenPGP standard as outlined in RFC4880 (also known as PGP). It enables you to encrypt, sign and authenticate data and communication.

gpg --full-generate-key
Enter fullscreen mode Exit fullscreen mode

When key has been generated, look through the messages that displayed on the screen and find your Key ID.

gpg: key <key_id> marked as ultimately trusted
Enter fullscreen mode Exit fullscreen mode

Generate a revocation certificate for the primary public key. If your private key is compromised or lost, this revocation certificate may be published to notify others that the public key should no longer be used.

gpg --output revoke.asc --gen-revoke <key_id>
Enter fullscreen mode Exit fullscreen mode

The revoke.asc file is stored in your user directory. Store the certificate key somewhere safe, ideally keypass or macpass.

Add your public key to the keys server so that others have verify it.

gpg --keyserver=pgp.key-server.io --armor --send-keys <key_id>
Enter fullscreen mode Exit fullscreen mode

Browse to pgp.key-server.io and search for your name to see if your gpg key is there or not.

In case pgp.key-server.io is not registering your key, use other public known keyservers:

Using Blackbox

  • Make a repository a blackbox repo
$ blackbox_initialize 
Enable blackbox for this git repo? (yes/no) y
VCS_TYPE: git

NEXT STEP: You need to manually check these in:
      git commit -m'INITIALIZE BLACKBOX' .blackbox /talampas/development/repo/.gitignore
Enter fullscreen mode Exit fullscreen mode
  • Add a new user in the blackbox repo

There is a need to look for the user's key to verify and add it in your keychain

gpg --keyserver keys.openpgp.org --search-key <personA@email.com | fingerprint>
Enter fullscreen mode Exit fullscreen mode

Add the user as an admin of blackbox for that repo.

blackbox_addadmin <personA@email.com>
Enter fullscreen mode Exit fullscreen mode

Update all secret files to incorporate the new key registered

blackbox_update_all_files
Enter fullscreen mode Exit fullscreen mode

Do a commit / push for the repo

# the next two lines are not required if no other files where edited
git add .
git commit -m"Add new user - personA"
# Required to push changes
git push
Enter fullscreen mode Exit fullscreen mode
  • Updating Blackbox Encrypted files

If there is a need to update the secrets in the encrypted file, follow the steps below

Open the file for editing

blackbox_edit_start <filename>.gpg
Enter fullscreen mode Exit fullscreen mode

End the Editing process

blackbox_edit_end <filename>
Enter fullscreen mode Exit fullscreen mode

Same as above, commit and push when you're done

Top comments (0)