Age To Encrypt Secrets
By Sudheer S
Are you storing secrets such as database credentials, API keys, etc. unencrypted in Git repositories? Stop.
To protect your secrets, do not store them anywhere unencrypted. Especially in Git repositories. Ideally, your organization must have some vault solution where secrets can be stored and securely shared with people on a need-to-know basis. In many small organizations, having such a central secrets management solution is still a luxury. The need to store such secret information in Git repositories is obvious. There are a few ways in which you can encrypt secrets. We discussed using Ansible Vault in one of the previous blog posts.
In this post, we will discuss a technique to secure secrets in Git repositories using a tool called age.
Install Age
sudo apt install age
sudo dnf install age
Generate A Key Pair
age-keygen -o key.txt
This will output something like:
Public key: age1fy42vpq9uh4r7st8px0cjh5tps0vy3ks9rak7tsxcfsn4tszdujs7f2295
The command also creates the file key.txt. Take a backup of the key, you will need it to decrypt secrets later.
Create a sample INI config file called my-config.ini
db_pass=mysecretpassword
This is a INI file which contains the database password. The file is a simple unencrypted text file.
Encrypt The File Using Age
age -r age1fy42vpq9uh4r7st8px0cjh5tps0vy3ks9rak7tsxcfsn4tszdujs7f2295 my-config.ini > my-config-encrypted.ini
The command writes the encrypted output to my-config-encrypted.ini. Inspect the contents of the encrypted file.
Decrypt The File Using Age
age --decrypt -i key.txt my-config-encrypted.ini > my-config-unencrypted.ini
Inspect the contents of the file my-config-unencrypted.ini. You should see the original file contents.
In the git repository, do not ever commit and push the unencrypted file. First encrypt the file using age and
then commit and push. In your .gitignore add the paths to the unencrypted files that contain secrets.