It is actually pretty convenient to have credentials and keys stored in the same repository as your codebase. Of course this is unsafe, as anyone (if you’re using public repos) can use those credentials to access your infrastructure (databases, servers, 3rd party APIs).
So firstly if your code is not for public use, a private repository obviously improves the security of your credentials immediately.
Bottom line, though, is if you store your credentials in a repository like on GitHub, encrypt those config files and keys first before committing them.
GNU Privacy Guard
For encryption we’ll be using GnuPG.
First step is to go and download the binary for your OS here.
Generate a keypair for yourself
Once installed, we need to generate a key pair for ourselves. Open a terminal and type
Answer the prompts, and (importantly!) choose a strong passphrase.
Encrypt a file
In your terminal, let’s say we want to encrypt a file called “keys.js” (which might have some config credentials that our codebase uses).
gpg2 -e -a -s -r firstname.lastname@example.org keys.js
What the parameters mean:
- -e means to encrypt the file
- -a means to “create ascii armored output”. Basically you can view the file, instead of it being a binary file.
- -s means to sign the file
- -r means to choose which recipient should be able to decrypt the file. In our case I’m using my email address that I used to create the key pair above
- keys.js is the name of the file I want to encrypt
This will generate a file in the same directory called keys.js.asc.
If you view the file e.g.
less keys.js.asc you’ll see something like
-----BEGIN PGP MESSAGE-----
-----END PGP MESSAGE-----
To decrypt a file
In your terminal, type
gpg2 -d -o keys.js keys.js.asc
What the parameters mean:
- -d means to decrypt the file
- -o specifies the name of the output file to save the decrypted data into. If you don’t specify this option, the decrypted contents will appear in your terminal
You’ll be prompted for your passphrase for your private key.
Update your .gitignore file
Now that we have encrypted our credentials file, make sure you ignore the credentials files, but not the encrypted files.
For example, if your credentials (config files and private keys) are in a config directory, you would update the
.gitignore file to have something like
Now you can safely commit your encrypted credentials
git add .
git commit -a -m "encrypted credentials"
Backing up your private key
Make sure you backup your private key though. As if you lose it you won’t be able to decrypt those committed credentials.
To export your private key, type
gpg2 --export-secret-key -a -o andrew-golightly.asc 'Andrew Golightly'
Which will export your private key in ascii armored output to
To store it, there are a number of things you could do.
One way is to zip that file and encrypt it, and store it on a backup (encrypted) USB or external disk.
To zip and encrypt a file on a Mac, type:
zip -e ag-gnupg.zip andrew-golightly.asc
You’ll be prompted for a password to encrypt the zip with.
Oh and make sure you remember your passphrase too :)