Blackbox - Secrets amongst your code

One of the major concerns amongst developers is how to store shared secrets. Storing secrets in a config file along with your source code is problematic as it can compromise privacy. Storing it outside without proper process or documentation can tend to be forgotten (not saying this is not good as using SAAS tools like Vault is the way to go). But in case you have a limited budget and limited capability, using GPG is the way to go. Here comes Blackbox.

For any secrets you want to store alongside the source code, we should limit the risk of intentional or accidental sharing by encrypting secrets.

You should encrypt these data in your repositories:

SSH keys
Private keys
Usernames and passwords

Installation
Blackbox is a GPG-based encryption tool for Git. Assuming Homebrew is installed in a mac or linux machine, the command below is sufficient. Otherwise look for the Blackbox link above for more information

brew install blackbox

GPG Keys
GnuPG, also known as GPG, is a free, full implementation of the OpenPGP standard as outlined in RFC4880 (also known as PGP). It enables you to encrypt, sign and authenticate data and communication.

gpg --full-generate-key

When key has been generated, look through the messages that displayed on the screen and find your Key ID.

gpg: key <key_id> marked as ultimately trusted

Generate a revocation certificate for the primary public key. If your private key is compromised or lost, this revocation certificate may be published to notify others that the public key should no longer be used.

gpg --output revoke.asc --gen-revoke <key_id>

The revoke.asc file is stored in your user directory. Store the certificate key somewhere safe, ideally keypass or macpass.

Add your public key to the keys server so that others have verify it.

gpg --keyserver=pgp.key-server.io --armor --send-keys <key_id>

Browse to pgp.key-server.io and search for your name to see if your gpg key is there or not.

In case pgp.key-server.io is not registering your key, use other public known keyservers:

• https://keys.openpgp.org/
• https://keyserver.ubuntu.com/
• https://pgp.mit.edu/

Using Blackbox

• Make a repository a blackbox repo

$ blackbox_initialize 
Enable blackbox for this git repo? (yes/no) y
VCS_TYPE: git

NEXT STEP: You need to manually check these in:
      git commit -m'INITIALIZE BLACKBOX' .blackbox /talampas/development/repo/.gitignore

• Add a new user in the blackbox repo

There is a need to look for the user's key to verify and add it in your keychain

gpg --keyserver keys.openpgp.org --search-key <personA@email.com | fingerprint>

Add the user as an admin of blackbox for that repo.

blackbox_addadmin <personA@email.com>

Update all secret files to incorporate the new key registered

blackbox_update_all_files

Do a commit / push for the repo

# the next two lines are not required if no other files where edited
git add .
git commit -m"Add new user - personA"
# Required to push changes
git push

• Updating Blackbox Encrypted files

If there is a need to update the secrets in the encrypted file, follow the steps below

Open the file for editing

blackbox_edit_start <filename>.gpg

End the Editing process

blackbox_edit_end <filename>

Same as above, commit and push when you're done