Storing Encrypted Credentials in Git

We all know that we should not commit any passwords or keys to the repo with our code (no matter if it's public or private). Yet, thousands of production passwords can be found on GitHub (and probably thousands more in internal company repositories). Some have tried to fix that by removing the passwords (once they learned it's not a good idea to store them publicly), but passwords have remained in the git history.

Knowing what not to do is the first and very important step. But how do we store production credentials? Database credentials, system secrets (e.g. for HMACs), access keys for third-party services like payment providers or social networks. There doesn't seem to be an agreed upon solution.

I've previously argued with the 12-factor app recommendation to use environment variables - if you have a few that might be okay, but when the number of variables grows (as in any real application), it becomes impractical. And you can set environment variables via a bash script, but you'd have to store it somewhere. And, in fact, even separate environment variables should be stored somewhere.

This somewhere could be a local directory (risky), a shared storage, e.g. FTP or S3 bucket with limited access, or a separate git repository. I think I prefer the git repository as it allows versioning (note: S3 also does, but is provider-specific). So you can store all your environment-specific properties files with all their credentials and environment-specific configurations in a git repo with limited access (only Ops people). And that's not bad, as long as it's not the same repo as the source code.

Such a repo would look like this:

project
└─── production
|   |   application.properites
|   |   keystore.jks
└─── staging
|   |   application.properites
|   |   keystore.jks
└─── on-premise-client1
|   |   application.properites
|   |   keystore.jks
└─── on-premise-client2
|   |   application.properites
|   |   keystore.jks

Since many companies are using GitHub or Bitbucket for their repositories, storing production credentials on a public provider may still be risky. That's why it's a good idea to encrypt the files in the repository. A good way to do it is via git-crypt. It is "transparent" encryption because it supports diff and encryption and decryption on the fly. Once you set it up, you continue working with the repo as if it's not encrypted. There's even a fork that works on Windows.

You simply run git-crypt init (after you've put the git-crypt binary on your OS Path), which generates a key. Then you specify your .gitattributes, like:

secretfile filter=git-crypt diff=git-crypt
*.key filter=git-crypt diff=git-crypt
*.properties filter=git-crypt diff=git-crypt
*.jks filter=git-crypt diff=git-crypt

And you're done. Well, almost. If this is a fresh repo, everything is good. If it is an existing repo, you'd have to clean up your history which contains the unencrypted files. Following these steps will get you there, with one addition - before calling git commit, you should call git-crypt status -f so that the existing files are actually encrypted.

You're almost done. We should somehow share and backup the keys. For the sharing part, it's not a big issue to have a team of 2-3 Ops people share the same key, but you could also use the GPG option of git-crypt (as documented in the README). What's left is to backup your secret key (that's generated in the .git/git-crypt directory). You can store it (password-protected) in some other storage, be it a company shared folder, Dropbox/Google Drive, or even your email. Just make sure your computer is not the only place where it's present and that it's protected. I don't think key rotation is necessary, but you can devise some rotation procedure.

git-crypt authors claim to shine when it comes to encrypting just a few files in an otherwise public repo. And recommend looking at git-remote-gcrypt. But as there are often non-sensitive parts of environment-specific configurations, you may not want to encrypt everything. And I think it's perfectly fine to use git-crypt even in a separate repo scenario. And even though encryption is an okay approach to protect credentials in your source code repo, it's still not necessarily a good idea to have the environment configurations in the same repo. Especially given that different people/teams manage these credentials. Even in small companies, maybe not all members have production access.

The outstanding question, in this case, is how to sync the properties with code changes. Sometimes the code adds new properties that should be reflected in the environment configurations. There are two scenarios here - first, properties that could vary across environments, but can have default values (e.g. scheduled job periods), and second, properties that require explicit configuration (e.g. database credentials). The former can have the default values bundled in the code repo and therefore in the release artifact, allowing external files to override them. The latter should be announced to the people who do the deployment so that they can set the proper values.

The whole process of having versioned environment-specific configurations is actually quite simple and logical, even with the encryption added to the picture. And I think it's a good security practice we should try to follow.