分享程序员开发的那些事...
更新时间:2023-02-16 08:25:44
自从提出这个问题后,我已经解决了一个解决方案,我在小型团队开发小型应用程序时使用的人。
git-crypt使用GPG在文件的名称与某些模式匹配时透明地加密文件。为了意图,如果您添加到您的 .gitattributes 文件...
*。secret。* filter = git-crypt diff = git-crypt
...然后a文件如 config.secret.json 将始终被推送到具有加密的远程回收站,但在本地文件系统上保持未加密。
如果我要添加一个新的GPG密钥(一个人)到您的备份,可以解密受保护的文件,然后运行 git-crypt add-gpg-user< gpg_user_key> 。这将创建一个新的提交。新用户将能够解密后续提交。
I keep important settings like the hostnames and ports of development and production servers in my version control system. But I know that it's bad practice to keep secrets (like private keys and database passwords) in a VCS repository.
But passwords--like any other setting--seem like they should be versioned. So what is the proper way to keep passwords version controlled?
I imagine it would involve keeping the secrets in their own "secrets settings" file and having that file encrypted and version controlled. But what technologies? And how to do this properly? Is there a better way entirely to go about it?
I ask the question generally, but in my specific instance I would like to store secret keys and passwords for a Django/Python site using git and github.
Also, an ideal solution would do something magical when I push/pull with git--e.g., if the encrypted passwords file changes a script is run which asks for a password and decrypts it into place.
Since asking this question I have settled on a solution, which I use when developing small application with a small team of people.
git-crypt uses GPG to transparently encrypt files when their names match certain patterns. For intance, if you add to your .gitattributes file...
*.secret.* filter=git-crypt diff=git-crypt
...then a file like config.secret.json will always be pushed to remote repos with encryption, but remain unencrypted on your local file system.
If I want to add a new GPG key (a person) to your repo which can decrypt the protected files then run git-crypt add-gpg-user <gpg_user_key>. This creates a new commit. The new user will be able to decrypt subsequent commits.