First in series about using Git Crypt in no particular order.
Git crypt is a popular git extension that enables you to transparently encrypt sensitive data in a git repository. Git crypt uses public PGP keys to control who has access to the encrypted data – these are stored in the .git-crypt directory within the repo.
When joining a new project and I clone an existing git-crypt secured repo I am faced with a problem – who do those PGP keys belong to? Who will have access to the encrypted data that I commit to that repo?
At DevOpsGuys our motto is “secure by default” so I might want to just double check who has access before I commit my changes. But how can I do that quickly and easily?
So faced with a new repository I would see something like:
northpole:delivery-platform santa$ pwd
/Users/santa/gitprojects/north_pole/delivery-platform
northpole:delivery-platform santa$ ls -al
drwxr-xr-x 18 santa staff 612B 30 Nov 11:08 ./
drwxr-xr-x 7 santa staff 238B 23 Nov 15:02 ../
-rw-r--r--@ 1 santa staff 8.0K 22 Nov 20:46 .DS_Store
drwxr-xr-x 17 santa staff 578B 30 Nov 17:00 .git/
drwxr-xr-x 4 santa staff 136B 18 Nov 10:51 .git-crypt/
-rw-r--r-- 1 santa staff 241B 18 Nov 10:51 .gitignore
-rw-r--r-- 1 santa staff 1.2K 30 Nov 11:06 README.md
drwxr-xr-x 3 santa staff 102B 22 Nov 22:53 bin/
drwxr-xr-x 14 santa staff 476B 28 Nov 14:54 configs/
-rwxr-xr-x 1 santa staff 8.8K 29 Nov 10:48 run
drwxr-xr-x 5 santa staff 170B 18 Nov 10:51 run_functions/
-rw-r--r-- 1 santa staff 1.6K 30 Nov 11:08 run_vars
drwxr-xr-x 6 santa staff 204B 22 Nov 23:08 states/
drwxr-xr-x 32 santa staff 1.1K 18 Nov 10:51 terraform/
drwxr-xr-x 7 santa staff 238B 22 Nov 23:08 test/
So we’ll drill down into where the GPG Keys are stored
northpole:delivery-platform santa$ tree -L 4 .git-crypt/
.git-crypt/
└── keys
└── default
└── 0
├── M2HKA5WRAY2FCA7FXXJ8V3HFAQ4HE2KBVP5R3P5K.gpg
├── 8EWMRQGZKNM8F47QQZ7LY3KB7VSAL4MKDHY4GR5Y.gpg
├── H9SBCNPHM25DEPCFZVR587Q3663S4EESPU74NBX5.gpg
├── HKDKGTT7UJP92QE8YECGPP5QCX2UG96SKD77G436.gpg
├── N7Y2S9NGTNRESQ5N2N2FKFUQK5RP868R688J259S.gpg
└── 3D4MS5VT59G2YA5N3BC88DTM43JPF3DETBRK4AL7.gpg
How do I know who these belong to?
Easy! Git log the key file as git crypt will commit and add some useful metadata in the commit message.
santa$ git log .git-crypt/keys/default/0/M2HKA5WRAY2FCA7FXXJ8V3HFAQ4HE2KBVP5R3P5K.gpg
commit 219f12535f89f4f3e57f8cf167dec8d58efbbed6
Author: Blitzen <blitzen@northpolecorp.com>
Date: Tue Nov 29 10:31:16 2016 +0000
Add 1 git-crypt collaborator
New collaborators:
VP5R3P5K Rudolf (Work key1) <rudolf@northpolecorp.com>
Alternatively we could add an alias to the .bashrc
or .bash_profile
that would print the information in a more concise manner.
alias gpgcryptusers='pushd .git-crypt/keys/default/0; for file in *.gpg; do echo "${file} : " && git log -- ${file} | sed -n 9p; done; popd'
Then run my new alias from the root of a git project:
santa$ gpgcryptusers
/Users/santa/gitprojects/north_pole/delivery-platform/.git-crypt/keys/default/0 /Users/santa/gitprojects/north_pole/delivery-platform
M2HKA5WRAY2FCA7FXXJ8V3HFAQ4HE2KBVP5R3P5K.gpg :
VP5R3P5K Rudolf (Work key1) <rudolf@northpolecorp.com>
8EWMRQGZKNM8F47QQZ7LY3KB7VSAL4MKDHY4GR5Y.gpg :
DHY4GR5Y Blitzen <blitzen@northpolecorp.com>
H9SBCNPHM25DEPCFZVR587Q3663S4EESPU74NBX5.gpg :
PU74NBX5 Santa Claus <santa.claus@northpolecorp.com>
HKDKGTT7UJP92QE8YECGPP5QCX2UG96SKD77G436.gpg :
KD77G436 Cupid (Work Key 1) <cupid@northpolecorp.com>
N7Y2S9NGTNRESQ5N2N2FKFUQK5RP868R688J259S.gpg :
688J259S Prancer <prancer@northpolecorp.com>
3D4MS5VT59G2YA5N3BC88DTM43JPF3DETBRK4AL7.gpg :
TBRK4AL7 Dasher (Main key) <dasher@northpolecorp.com>
/Users/santa/gitprojects/north_pole/delivery-platform
That was much quicker and easier.