One of the major concerns amongst developers is how to store shared secrets. Storing secrets in a config file along with your source code is problematic as it can compromise privacy. Storing it outside without proper process or documentation can tend to be forgotten (not saying this is not good as using SAAS
tools like Vault
is the way to go). But in case you have a limited budget and limited capability, using GPG
is the way to go. Here comes Blackbox.
For any secrets you want to store alongside the source code, we should limit the risk of intentional or accidental sharing by encrypting secrets.
You should encrypt these data in your repositories:
SSH keys
Private keys
Usernames and passwords
Installation
Blackbox
is a GPG-based encryption tool for Git. Assuming Homebrew
is installed in a mac or linux machine, the command below is sufficient. Otherwise look for the Blackbox link above for more information
brew install blackbox
GPG Keys
GnuPG, also known as GPG, is a free, full implementation of the OpenPGP standard as outlined in RFC4880 (also known as PGP). It enables you to encrypt, sign and authenticate data and communication.
gpg --full-generate-key
When key has been generated, look through the messages that displayed on the screen and find your Key ID.
gpg: key <key_id> marked as ultimately trusted
Generate a revocation certificate for the primary public key. If your private key is compromised or lost, this revocation certificate may be published to notify others that the public key should no longer be used.
gpg --output revoke.asc --gen-revoke <key_id>
The revoke.asc file is stored in your user directory. Store the certificate key somewhere safe, ideally keypass
or macpass
.
Add your public key to the keys server so that others have verify it.
gpg --keyserver=pgp.key-server.io --armor --send-keys <key_id>
Browse to pgp.key-server.io and search for your name to see if your gpg key is there or not.
In case pgp.key-server.io is not registering your key, use other public known keyservers:
Using Blackbox
- Make a repository a
blackbox
repo
$ blackbox_initialize
Enable blackbox for this git repo? (yes/no) y
VCS_TYPE: git
NEXT STEP: You need to manually check these in:
git commit -m'INITIALIZE BLACKBOX' .blackbox /talampas/development/repo/.gitignore
- Add a new user in the
blackbox
repo
There is a need to look for the user's key to verify and add it in your keychain
gpg --keyserver keys.openpgp.org --search-key <personA@email.com | fingerprint>
Add the user as an admin of blackbox
for that repo.
blackbox_addadmin <personA@email.com>
Update all secret files to incorporate the new key registered
blackbox_update_all_files
Do a commit / push for the repo
# the next two lines are not required if no other files where edited
git add .
git commit -m"Add new user - personA"
# Required to push changes
git push
- Updating Blackbox Encrypted files
If there is a need to update the secrets in the encrypted file, follow the steps below
Open the file for editing
blackbox_edit_start <filename>.gpg
End the Editing process
blackbox_edit_end <filename>
Same as above, commit and push when you're done
Top comments (0)