下 git-secret:在 Git 存储库中加密和存储密钥( 四 )

至此 alice@example.com 就有了一个新机密和私钥 , 将其导出到 secret.gpg.dev/gpg-keys/alice-public.gpg 。剩下的命令现在可以直接在application 容器外的主机上运行 。
git-secret 的初始设置现在来将 git-secret 引入一个新的代码库 , 然后运行以下命令 。
初始化 git-secret
make secret-init$ make secret-init"C:/Program Files/Git/mingw64/bin/make" -s git-secret ARGS="init";git-secret: init created: '/var/www/app/.gitsecret/'应用 gpg 对共享目录进行修复:
$ make secret-init-gpg-socket-config$ make secret-init-gpg-socket-configecho "%Assuan%" > .gitsecret/keys/S.gpg-agentecho "socket=/tmp/S.gpg-agent" >> .gitsecret/keys/S.gpg-agentecho "%Assuan%" > .gitsecret/keys/S.gpg-agent.sshecho "socket=/tmp/S.gpg-agent.ssh" >> .gitsecret/keys/S.gpg-agent.sshecho "extra-socket /tmp/S.gpg-agent.extra" > .gitsecret/keys/gpg-agent.confecho "browser-socket /tmp/S.gpg-agent.browser" >> .gitsecret/keys/gpg-agent.conf容器启动后初始化 gpg重启容器后 , 需要初始化 gpg 也就是导入公钥 .dev/gpg-keys/* 和导入私钥 Secret.gpg , 不然就无法对文件进行加密和解密 。
make gpg-init$ make gpg-init"C:/Program Files/Git/mingw64/bin/make" -s gpg-import GPG_KEY_FILES="secret.gpg"gpg: directory '/home/application/.gnupg' createdgpg: keybox '/home/application/.gnupg/pubring.kbx' createdgpg: /home/application/.gnupg/trustdb.gpg: trustdb createdgpg: key BBBE654440E720C1: public key "Alice Doe <alice@example.com>" importedgpg: key BBBE654440E720C1: secret key importedgpg: Total number processed: 1gpg:imported: 1gpg:secret keys read: 1gpg:secret keys imported: 1"C:/Program Files/Git/mingw64/bin/make" -s gpg-import GPG_KEY_FILES=".dev/gpg-keys/*"gpg: key BBBE654440E720C1: "Alice Doe <alice@example.com>" not changedgpg: Total number processed: 1gpg:unchanged: 1添加新成员接下来一起看看如何将新成员加入到 git-secret
make secret-add-user EMAIL="alice@example.com"$ make secret-add-user EMAIL="alice@example.com""C:/Program Files/Git/mingw64/bin/make" -s git-secret ARGS="tell alice@example.com"git-secret: done. alice@example.com added as user(s) who know the secret.验证是否通过:
make secret-show-users$ make secret-show-users"C:/Program Files/Git/mingw64/bin/make" -s git-secret ARGS="whoknows"alice@example.com添加和加密文件来添加一个新的加密文件 secret_password.txt , 创建以下文件:
echo "my_new_secret_password" > secret_password.txt将其添加到 .gitignore
echo "secret_password.txt" >> .gitignore将其添加到 git-secret
make secret-add FILE="secret_password.txt"$ make secret-add FILE="secret_password.txt""C:/Program Files/Git/mingw64/bin/make" -s git-secret ARGS="add secret_password.txt"git-secret: 1 item(s) added.加密所有文件:
make secret-encrypt$ make secret-encrypt"C:/Program Files/Git/mingw64/bin/make" -s git-secret ARGS="hide"git-secret: done. 1 of 1 files are hidden.$ ls secret_password.txt.secretsecret_password.txt.secret解密文件首先移除 secret_password.txt文件 , 请运行:
rm secret_password.txt$ rm secret_password.txt$ ls secret_password.txtls: cannot access 'secret_password.txt': No such file or directory然后进行解密:
make secret-decrypt$ make secret-decrypt"C:/Program Files/Git/mingw64/bin/make" -s git-secret ARGS="reveal -f"git-secret: done. 1 of 1 files are revealed.$ cat secret_password.txtmy_new_secret_password注意:如果 gpg 密钥受密码保护(假设密码是

经验总结扩展阅读