0

I’m a relative Github newbie. I’m developing a Python app which I’m holding in Github. Currently a private repo but will be public soon. The app holds config data in an ini file which includes various api credentials for the web services the app uses. I want to hold the ini file with the code in Github for ease of version control but need it to be encrypted. Not talking banking level encryption here - just want to avoid unauthorised people using my test web services credentials. What is the best/most transparent way of doing this? My devt environment is MS Visual Studio 2017. I’ve seen a number of plugins that enable encryption/decryption on the fly but don’t know how good/secure they are. Any recommendations?

nakb
  • 321
  • 1
  • 3
  • 16
  • *just want to avoid unauthorised people using my test web services credentials.*: then you **are** talking about banking-level encryption. But anyway asking for tools recommendatons is off-topic here. – JB Nizet Jul 01 '19 at 16:31
  • So you are not satisfied with Github's username+password authentication? Or you want to protect it from people with access to Github servers, e.g. github employees? – President James K. Polk Jul 01 '19 at 17:03
  • Possible duplicate of [git encrypt/decrypt remote repository files while push/pull](https://stackoverflow.com/questions/2456954/git-encrypt-decrypt-remote-repository-files-while-push-pull) – baruchiro Jul 01 '19 at 19:10

2 Answers2

0

You aren't in the right direction.

You can't hold both your credentials and who is using them in the same repository.

In this situation, you will always have to decrypt them, and anyone else will be able to put a breakpoint after the decryption and get them. Just as you can.

Of course there will be a case in which you send encrypted keys to another service that decrypt and uses them.

You have two options:

  1. Hold your credentials in environment variables.
  2. Remove your .ini file from git.

Pay attention!

Your credentials is now in the git history!

Even if you solve your problems, anyone can go back in the history and see what checked in today, for example.

There are ways to edit strings in history or to remove a file from history. Look for solutions on the Internet.

baruchiro
  • 5,088
  • 5
  • 44
  • 66
  • This is just a devt environment I’m talking about. Not production. I guess the simple answer is to exclude the ini file from git syncing but that’s a bit of a pain as the ini file structure and keys evolve as I refactor the code so ideally I’d want to version control the ini file alongside the code. I thought I’d heard of VS plugins that will encrypt/decrypt on the fly during git syncs? – nakb Jul 01 '19 at 17:24
0

You can try the git-secret tool.

baruchiro
  • 5,088
  • 5
  • 44
  • 66