Skip to main content

A tool for managing secrets in Git with AWS Parameter Store integration.

Project description

git-secret-protector

git-secret-protector is a Python-based CLI tool designed to securely manage and protect sensitive files in your Git repositories. It integrates with Cloud Secret Storage Services to encrypt and decrypt secrets, ensuring that your sensitive data remains secure throughout your development process.

Features

  • AES Key Management: Securely create, manage, and rotate AES data keys using Cloud Secret Storage Services such as AWS Parameter Store, Google Cloud Secret Manager.
  • File Encryption/Decryption: Automatically encrypt and decrypt files in your repository based on patterns defined in the .gitattributes file.
  • Cache Management: Cache AES data keys locally to improve performance and reduce redundant calls to Cloud Services.

Install Guide

Requirements

You can install the git-secret-protector module via pipx:

pipx install git-secret-protector

Usage

1. Initial Setup for Repositories Owners

1.1. Create .gitattributes file

Create a .gitattributes file in the root of your repository to define which files should be encrypted.

Sample .gitattributes file:

dev/secrets* filter=sample-app-dev diff=sample-app-dev

prod/secrets* filter=sample-app-prod diff=sample-app-prod

.gitattributes !filter !diff

1.2. Configure Git Filters

Set up the Git clean and smudge filters base on the filters defined in the .gitattributes file.

git-secret-protector setup-filters

This command will configure the Git clean and smudge filters based on the patterns defined in the .gitattributes file. The filters will automatically encrypt and decrypt files based on the specified patterns.

1.3. Configuration

The config.ini file contains settings that customize the behavior of the git-secret-protector module. The file should be located in the module's directory (by default: .git_secret_protector/config.ini) and can be used to override the default values set in the code.

  • Sample config.ini

    [DEFAULT]
    module_name = git-secret-protector
    log_file = /path/to/log/git_secret_protector.log
    log_level = INFO
    log_max_size = 1048576
    log_backup_count = 3
    magic_header = ENCRYPTED
    storage_type = AWS_SSM
    
  • Configuration Parameters

    • module_name: Name of the module.
    • log_file: Path to the log file.
    • log_level: Log level (DEBUG, INFO, WARNING, ERROR, CRITICAL).
    • log_max_size: Maximum size of the log file in bytes.
    • log_backup_count: Number of log files to keep.
    • magic_header: Magic header to identify encrypted files.
    • storage_type: Cloud Secret Storage Service to use (AWS_SSM, GCP_SECRET_MANAGER).
      • AWS_SSM (default): AWS Parameter Store
      • GCP_SECRET: Google Cloud Secret Manager

1.4. Set up AES key

Before executing this command, ensure you have the necessary permissions to manage resources in the using Cloud Secret Storage Services.

git-secret-protector setup-aes-key <filter_name>

Sample command to set up an AES key for the sample-app-dev filter:

git-secret-protector setup-aes-key sample-app-dev

2. Installation Steps for Team Members

2.1. Pull AES Key and IV

Before encrypting or decrypting files, it's necessary to retrieve the relevant AES keys from the Cloud Secret Storage Service for filters:

git-secret-protector pull-aes-key <filter_name>

This command fetches the latest AES data key and IV from the Cloud Secret Storage Service for the designated filter and caches them locally for subsequent operations. This step ensures that you have the correct keys for encryption or decryption tasks related to the specified filter.

2.2. Configure Git Filters

Set up the Git clean and smudge filters base on the filters defined in the .gitattributes file.

git-secret-protector setup-filters

2.2. Decrypt secret files

To decrypt secret files, you can use the following command:

git-secret-protector decrypt-files <filter_name>

3. Additional Commands

3.1. View Encryption Status

Command to obtain a comprehensive overview of the encryption status of files within the repository:

git-secret-protector status

3.2. Key Rotation

In case you need to rotate the AES key due to security reasons or a team member leaving the project, you can rotate the keys using the following command:

  • Command to Rotate Keys

    git-secret-protector rotate-key <filter_name>
    
  • This command will execute the following steps:

    • Generate a new AES data key in AWS Parameter Store
    • Re-encrypt your files associated with the specified filter with the new key
    • Update the local cache.
  • Post-Rotation Code Reset:

    After rotating the keys, it is necessary to clear the Git cache and re-checkout all files. This step ensures that the smudge filters are triggered, allowing the files to be decrypted with the new key.

    # Remove all files from the index to clear the Git cache
    git rm --cached -r .
    
    # Force Git to re-checkout all files, triggering smudge filters
    git reset --hard
    

4. Logging

Logs are stored in the logs/ directory by default, and you can configure the log level and file rotation in the config.ini file.

Development

Running Tests

  • Unit Tests: Located in the tests/unit directory, run them using pytest.

    poetry run pytest tests/unit
    
  • Integration Tests: Located in the tests/integration directory, these tests interact with Secret Store in cloud and should be run manually.

    poetry run pytest tests/integration
    

Changelog

See CHANGELOG.md for a history of changes and updates.

Support

If you encounter any issues or have any questions, please open an issue on the GitHub repository or reach out to our support team.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

git_secret_protector-1.0.2.tar.gz (15.1 kB view details)

Uploaded Source

Built Distribution

git_secret_protector-1.0.2-py3-none-any.whl (20.5 kB view details)

Uploaded Python 3

File details

Details for the file git_secret_protector-1.0.2.tar.gz.

File metadata

  • Download URL: git_secret_protector-1.0.2.tar.gz
  • Upload date:
  • Size: 15.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.1 CPython/3.12.7

File hashes

Hashes for git_secret_protector-1.0.2.tar.gz
Algorithm Hash digest
SHA256 16da40185f24324fb502289a6a3f2ddbaa252819fb2fed26055e58ae1fe18c1e
MD5 60cd81f1bdc9156be4ef79cee477b38f
BLAKE2b-256 dcb179d504bf6760c98799658a448e23fde6f980a4f0d9986746d81b7cd1a6ac

See more details on using hashes here.

File details

Details for the file git_secret_protector-1.0.2-py3-none-any.whl.

File metadata

File hashes

Hashes for git_secret_protector-1.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 d5eab55411458810ea6dc2e561c8a11fa1298c0d82c6adf31f9588afada199b0
MD5 aa8055ba26478df736a1c70c4b22ecff
BLAKE2b-256 3abf494cdfa77ddf89615af2cf46b1497eb124137e427df79e9f7442731e92eb

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page