git-secret介绍_git-crypt-优快云博客

本文链接：https://blog.youkuaiyun.com/eventer123/article/details/142882830

git-secret介绍

git-secret 是一个与git兼容的命令行工具，旨在安全地存储和管理敏感数据，如源代码中的密码、密钥以及敏感文件。它通过 GPG 加密来保护文件，确保只有授权的用户才能访问这些敏感信息。

使用流程

1、安装 Git-Secret：在本地开发环境中安装 git-secret。
2、生成 GPG 密钥：为每个团队成员生成一对 GPG 公私钥。
3、添加公钥：将团队成员的公钥添加到 git-secret 的钥匙库中。
4、跟踪敏感文件：使用 git-secret add 命令跟踪包含敏感信息的文件。
5、加密文件：运行 git-secret hide 来加密跟踪的文件，使其在仓库中安全存储。
6、推送到远程仓库：将加密后的文件推送到远程 Git 仓库。
7、访问敏感数据：团队成员使用 git-secret reveal 命令解密并访问敏感数据。

micray@localhost:/mnt/d/code/other$ mkdir test-git-secret
micray@localhost:/mnt/d/code/other$ cd test-git-secret/
micray@localhost:/mnt/d/code/other/test-git-secret$ ls
# 生成gpg
micray@localhost:/mnt/d/code/other/test-git-secret$ gpg --list-secret-keys --keyid-format=long
gpg: /home/micray/.gnupg/trustdb.gpg: trustdb created

micray@localhost:/mnt/d/code/other/test-git-secret$ gpg --full-generate-key
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: alice
Email address: alice@csdn.vip
Comment: csdn.vip
You selected this USER-ID:
    "alice (csdn.vip) <alice@csdn.vip>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key D9690433F18BA0D7 marked as ultimately trusted
gpg: directory '/home/micray/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/micray/.gnupg/openpgp-revocs.d/C8B339A03193C3B3576F1319D9690433F18BA0D7.rev'
public and secret key created and signed.

pub   rsa4096 2024-10-12 [SC]
      C8B339A03193C3B3576F1319D9690433F18BA0D7
uid                      alice (csdn.vip) <alice@csdn.vip>
sub   rsa4096 2024-10-12 [E]

micray@localhost:/mnt/d/code/other/test-git-secret$ ls
micray@localhost:/mnt/d/code/other/test-git-secret$ gpg --list-secret-keys --keyid-format=long
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
/home/micray/.gnupg/pubring.kbx
-------------------------------
sec   rsa4096/D9690433F18BA0D7 2024-10-12 [SC]
      C8B339A03193C3B3576F1319D9690433F18BA0D7
uid                 [ultimate] alice (csdn.vip) <alice@csdn.vip>
ssb   rsa4096/E2EBD05D07C5BA81 2024-10-12 [E]

micray@localhost:/mnt/d/code/other/test-git-secret$ echo "Love you 3000" > mysecret.txt
micray@localhost:/mnt/d/code/other/test-git-secret$ ls
mysecret.txt

# 初始化仓库
micray@localhost:/mnt/d/code/other/test-git-secret$ git init
hint: Using 'master' as the name for the initial branch. This default branch name
hint: is subject to change. To configure the initial branch name to use in all
hint: of your new repositories, which will suppress this warning, call:
hint:
hint:   git config --global init.defaultBranch <name>
hint:
hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
hint: 'development'. The just-created branch can be renamed via this command:
hint:
hint:   git branch -m <name>
Initialized empty Git repository in /mnt/d/code/other/test-git-secret/.git/
micray@localhost:/mnt/d/code/other/test-git-secret$ ls
mysecret.txt

micray@localhost:/mnt/d/code/other/test-git-secret$ git secret init
git-secret: init created: '/mnt/d/code/other/test-git-secret/.gitsecret/'
micray@localhost:/mnt/d/code/other/test-git-secret$ git secret tell alice@csdn.vip
gpg: keybox '/mnt/d/code/other/test-git-secret/.gitsecret/keys/pubring.kbx' created
gpg: /mnt/d/code/other/test-git-secret/.gitsecret/keys/trustdb.gpg: trustdb created
git-secret: done. alice@csdn.vip added as user(s) who know the secret.
micray@localhost:/mnt/d/code/other/test-git-secret$ git secret whoknows
alice@csdn.vip

# 添加加密文件
micray@localhost:/mnt/d/code/other/test-git-secret$ git secret add -i mysecret.txt
git-secret: these files are not in .gitignore: mysecret.txt
git-secret: auto adding them to .gitignore
git-secret: 1 item(s) added.
micray@localhost:/mnt/d/code/other/test-git-secret$ ls
mysecret.txt
micray@localhost:/mnt/d/code/other/test-git-secret$ cat mysecret.txt
Love you 3000

# 加密
micray@localhost:/mnt/d/code/other/test-git-secret$ git secret hide
git-secret: done. 1 of 1 files are hidden.
micray@localhost:/mnt/d/code/other/test-git-secret$ ls
mysecret.txt  mysecret.txt.secret
micray@localhost:/mnt/d/code/other/test-git-secret$ cat mysecret.txt
Love you 3000
micray@localhost:/mnt/d/code/other/test-git-secret$ cat mysecret.txt.secret
Ȣn|H鵚ԁ"R7@jpY3oQ`CU*{ՉQ惎lqEsϐZC_+2/L~pRoSEȍskƋyS4<Qhn*dH*0d_Ak*+ІY6`.c6JYVwVܟoZϫޟ!T/f?!:6y&H+i޵Bg8`z
R^`Id%lz393WJw$UJn?1KjHќJj`^Om#da'jnWeSѻJ{I7j4Ot

# 解密 
micray@localhost:/mnt/d/code/other/test-git-secret$ ls
mysecret.txt  mysecret.txt.secret
micray@localhost:/mnt/d/code/other/test-git-secret$ rm -fr mysecret.txt
micray@localhost:/mnt/d/code/other/test-git-secret$ ls
mysecret.txt.secret
micray@localhost:/mnt/d/code/other/test-git-secret$ git secret reveal
git-secret: done. 1 of 1 files are revealed.
micray@localhost:/mnt/d/code/other/test-git-secret$ ls
mysecret.txt  mysecret.txt.secret
micray@localhost:/mnt/d/code/other/test-git-secret$ cat mysecret.txt
Love you 3000

基本原理

git-secret 利用 GPG 的公钥加密机制，团队成员的公钥会被用来加密敏感文件，生成一个只有相应私钥持有者才能解密的密文。

加密时，GPG使用–recipient 参数，设定多个收件人。GPG首先使用一个内部的对称加密算法（如 AES）对原始数据进行加密，生成一个加密后的文件。然后，GPG 将这个对称密钥（不是原始数据）再次使用每个收件人的公钥进行加密，加密后的对称密钥以及密钥标识符（通常是收件人）被嵌入到最终的加密文件中（位于文件的头部或元数据部分），形成最终的加密文件。

解密时，收件人使用其私钥解密GPG加密的文件，其首先读取文件头部和元数据，找到与收件人私钥匹配的加密对称密钥。然后，使用私钥解密这个对称密钥，最后使用解密后的对称密钥来解密文件的加密数据部分。

此外，当需要更新敏感数据，添加或移除成员的访问权限时，需重新加密文件并更新仓库中的文件。以此确保持有有效私钥的成员才能解密和访问敏感数据，从而确保了数据的安全性和访问控制的灵活性。

其他工具

git-crypt是一个透明加密的 Git 仓库加密工具，它允许你加密整个 Git 仓库或仓库中特定文件的内容。与git-secrt相比，相似之处在于都使用 GPG 加密，都集成在 Git 工作流中。不同之处在于git-crypt 专注于整个文件或目录的加密，而git-secret除具有git-crypt的能力外，还关注跟踪加密的文件，而且git-crypt需要自行维护的配置文件来管理密钥与加密文档列表，git-secret则使用命令行及.gitsecret/keys 目录自动维护配置。从体验上来来说，git-secret更符合开发人员的使用习惯。