Hide API keys from github public repo

Question

I'm looking for a way to prevent api keys and such to wind up in a public repo. (where it's hosted don't actually matter)

So I understand that the common solution is to add the file containing the api keys to .gitignore so that it basically never gets committed to the repo.

The thing is I'd rather commit the file but replace the key itself with 'YOUR API KEY HERE' sort of text in its place.

I've found this answer suggesting to use git filter branch but it seems to be really hit or miss and not really recommended.

Is there any other way to achieve this? Any way to ensure git filter branch will actually work? Any way to do it retroactively? Should it be done after git add or before it?

Answer 1

What you're suggesting is the reasonable way to do it: create a template file with the configuration file and filler or placeholder data, and then copy it into the place you want it, which is listed in .gitignore. If you like, you can actually have a script that generates the file and provide the API key as a command-line argument or from the environment.

The other way to do this is to just always import configuration from the environment and never write the configuration to disk at all. In many environments, this can be done using an encrypted secret store like Vault, but there are other options as well.

Both of these approaches never commit the secrets at all so you don't have to worry about them ever ending up in the codebase. If they are already in the codebase, then you'll need to use git filter-branch or a similar tool to filter them out, or just rotate them and assume the old values are compromised (which you should probably assume in the first place).

Answer 2

Have you read about .git/info/exclude? It's described on the same manpage as gitignore, and essentially allows you to specify patterns locally at the repo level that you don't want to be seen by Git. The pattern syntax here is the same as in .gitignore.

This would allow you to initially commit your placeholder config file, then you'd modify .git/info/exclude locally. You'd then be safe to put actual API keys in that file - when you do this, run git status to confirm that your config file changes are excluded.

There's another Q&A about this here.