0

So, while initially developing my app, I've stored private keys on a hosted git server. I want to remove these keys from git and manage keys via some other mechanism. How do I remove keys without removing commit history, and without deleting the entire repository altogether?

I can't just remove the keys from the files because the keys will be in previous commits.

Ronak Vora
  • 185
  • 3
  • 16
  • 2
    You have to *replace* every bad commit with a new-and-improved commit. See [Remove sensitive files and their commits from Git history](https://stackoverflow.com/q/872565/1256452) – torek Jun 01 '19 at 00:07
  • Isn't it easier if you stop tracking the files containing secrets and then just change all of them. Old keys are history but serve for nothing. Maybe you want to track those files anyway but then arrange for not tracked includes. – progmatico Jun 01 '19 at 18:43
  • Yeah I was thinking I could just change all the keys and stuff, and then use some sort of package that helps encrypt keys on git. But, a lot of the time, there are other hardcoded values that are much more work to change. I'm probably going to just end up removing the repo and reuploading it since I'm at the beginning stages of the project. – Ronak Vora Jun 01 '19 at 23:06
  • 1
    I don't know what kind of secred keys you have been using but if possible safest option would be to obsolete (revoke, remove or however it named depending on the system) older ones and generate new, which you never insert to git. – max630 Jun 03 '19 at 07:50
  • Yeah, that makes sense too :). – Ronak Vora Jun 03 '19 at 18:53

1 Answers1

0

According to this Github documentation, the only truly secure way to remove your keys / passwords from git is to regenerate the keys / passwords, as @max630 pointed out.

This is the path I have taken.

Regarding storing keys elsewhere, I have, for the time being, just decided to store them in S3. This might not be secure enough for you, but it works for my purposes now.

Ronak Vora
  • 185
  • 3
  • 16