Commit secrets to Git (encrypted)

As part of the covid-19 extra free time, i'm learning gcloud and terraform.

My first experiment was to deploy a simple docker file to cloud run service, and to set custom domain.

When I got the results needed, I wanted to commit the files to Github, but I've found out that the terraform files can expose secrets. To avoid using third party solution, I decided to use a tool to encrypt the files before commit. I looked for a simple solution, self contained and portable, so I decided to create my own solution.

git-secrets - simple npm package that can be used with husky (git hooks), to transparent encrypt and decrypt files in your repo.

Setup:

npm i -S git-secrets husky
  "scripts": {
    "start": "node src/server.js",
    "infra:init": "terraform init",
    "infra:plan": "terraform plan",
    "infra:deploy": "terraform apply",
    "infra:destroy": "terraform destroy",
    "secret:init": "./node_modules/.bin/git-secrets init",
    "secret:hide": "./node_modules/.bin/git-secrets hide",
    "secret:reveal": "./node_modules/.bin/git-secrets reveal"
  },
  "husky": {
    "hooks": {
      "pre-commit": "npm run secret:hide && git add .",
      "post-commit": "npm run secret:reveal"
    }
  },
npm run secret:init

Now, add files you would like to encrypt before committing them to the config file.

.git-secrets (can be any other file by setting env variable GIT_SECRETS_CONFIG)

terraform.tfstate
variables.tf
secrets.json

Next step is to choose your secret password and pass it to git-secrets. You can pass the key by cli param (--key=secret), env variable  (GIT_SECRETS_KEY), and by creating key file (make sure you add this file to .gitignore, filename=.git-secrets.key)

The final step is to test all our configuration, commit the changes we just added and check the files on Github to see the result.

  • disclaimer: this is a work in progress and not safe for production or enterprise projects, but can do the trick for self projects when the risk is low.

Nir Adler

Nir Adler