July 22, 2020

Protect Your Security Keys Using git-secret

Development teams, especially those working remotely or spread across different company locations can run into a problem when they need to store sensitive files for the team to use but placing them inside the project repo poses risks. One common scenario with embedded devices is public/private key pairs used for encryption schemes. A simple command-line tool git-secret can eliminate the hassle by giving teams the ability to reveal and hide their important files using secure methods, so development can be efficient and safe.

The Case for Keys

The need for encryption and the private/public key sets that come with it has increased with the uptake of connected devices. Other secret files that can help the development team might also be really handy to have right in the project repo. Previous news stories have shown that even though teams might host private repos on Github or GitLab, the files within may not be safe from hackers and other bad agents. So how can teams balance ease of development and security? That’s where git-secret comes in.

Using git-secret

This command-line tool can be installed manually or via packages for Linux, and on Mac, it’s as simple as a homebrew installation:

brew install git-secret

Windows users can get all of the same functionality by using the Windows Subsystem for Linux.

Setting Up the Project and Team

git-secret can be added to either existing project repos, or brought in right at the start. As the individual setting up the project repo, one just needs to have their own GPG RSA key-pair created once they’ve installed git-secret. With that done, the git-secret repo can be generated inside the project repository with git secret init. Running that command will create the .gitsecret/ folder. All contents of this folder can be checked into the repo except random_seed which should be placed in the .gitignore folder. Then the first user may be added to the git-secret keyring by running:

git secret tell user@email.com

where user@email.com is the email used to generate your GPG RSA key-pair.

To add others from the project to the git-secret keyring, have them first create their own GPG RSA key-pair and send you their public key file. Import that public key to your own GPG setup with:

gpg --import KEY_NAME.txt

Now that individual may be added to the git-secret repo by running:

git secret tell person@email.com

where person@email.com is the email which they created their key-pair with. Though this is being described as if there were one git-secret czar for the project, it should be noted that anybody can add others and themselves to the secret repo for a project. This way there are no worries if the person who does the initial project setup wins the lottery and is never seen again! It does pose a security risk that anybody can add themselves to the secret repo, so to avoid this a server-side security policy can be put in place with the pre-receive hook for the repo. This removes the risk of somebody gaining access to a private repo and adding unexpected keys to the secrets keyring.

Adding Secret Files to the Project Repo

Adding and hiding your secret files only takes three commands once the project and team members are set up. First, all of the secret files must be added to .gitignore. This prevents accidentally checking in the secret files unintentionally, git-secret will also not run without them in there. Second, run:

git secret add <filename(s)...>

to add the files to the secret repository.

The newly added files can then be hidden with:

git secret hide

With that complete, the newly added and encrypted files can be committed to the project repo safely. Users pulling them down who have been added to the secret repository can decrypt them with:

git secret reveal

If users created their GPG key-pairs using a password, they will be prompted to enter it upon using the reveal command. With that complete, the secret files are ready to use! Users will notice in the case of key files required to compile a project, that simply pulling the repo down will not work as those secret files are still encrypted. The project will only build once the reveal command has been executed.

Conclusion

git-secret is one of the great command-line tools out there to make embedded development smoother with distributed team members. Needing encryption keys and other secret files for an embedded project is commonplace, so having a tool like git-secret to quickly add and encrypt those files is…key. ðŸ˜‰ More documentation, additional features, and some examples of GPG key usage can be found at git-secret.io. Happy developing!

And if you have questions about an embedded project you’re working on, Dojo Five can help you with all aspects of your devops for embedded journey! We are always happy to hear about cool projects or interesting problems to solve, so don’t hesitate to reach out and chat with us on LinkedIn or through email!

Discover why Dojo Five EmbedOps is the embedded enterprise choice for build tool and test management.

Connect a repo
Use Dev Containers with your Continuous Integration (CI) provider
Analyze memory usage
Integrate and visualize static analysis results
Perform Hardware-in-the-Loop (HIL) tests
Install the Command Line Interface for a developer-friendly experience

Subscribe to our Monthly Newsletter

Subscribe to our monthly newsletter for development insights delivered straight to your inbox.

The Ultimate Guide to Modern Embedded Firmware Development

From the smart devices in our homes to life-saving medical equipment, embedded systems are everywhere—and at the heart of each one lies embedded firmware. But as these systems become more powerful and connected, developing efficient, secure, and scalable firmware is more challenging than ever.

In thius conmprehensive guide, we dive into the latest tools, languages, and workflows reshaping embedded firmware development. Whether you’re wrestling with limited hardware resources, debugging complex systems, or scaling across multiple platforms, you’ll find practical strategies and expert insights to help you build better firmware–faster.

Interested in learning more?

Best-in-class embedded firmware content, resources and best practices

I want to write my first embedded program. Where do I start?

The boom in the Internet of Things (IoT) commercial devices and hobbyist platforms like the Raspberry Pi and Arduino have created a lot of options, offering inexpensive platforms with easy to use development tools for creating embedded projects. You have a lot of options to choose from. An embedded development platform is typically a microcontroller chip mounted on a circuit board designed to show off its features. There are typically two types out there: there are inexpensive versions, sometimes called

August 7, 2020

IEC-62304 Medical Device Software – Software Life Cycle Processes Primer – Part 1

IEC-62304 Software Lifecycle requires a lot of self-reflection to scrutinize and document your development processes. There is an endless pursuit of perfection when it comes to heavily regulated industries. How can you guarantee something will have zero defects? That’s a pretty hefty task. The regulatory approach for the medical device industry is process control. The concept essentially states that if you document how every step must be completed, and provide checks to show every step has been completed properly, you

August 10, 2020

Operating room filled with medical devices

IEC-62304 Medical Device Software – Software Life Cycle Processes Primer – Part II

Part I provides some background to IEC-62304. Part II provides a slightly more in-depth look at some of the specifics. The IEC 62304 Medical Device Software – Software Lifecycle Processes looks into your development processes for creating and maintaining your software. The standard is available for purchase here. So what activities does the standard look at? Here are some of the major topics. For any given topic, there will be a lot more specifics. This will look at a few

August 12, 2020