Protect Your Security Keys Using git-secret

Development teams, especially those working remotely or spread across different company locations can run into a problem when they need to store sensitive files for the team to use but placing them inside the project repo poses risks. One common scenario with embedded devices is public/private key pairs used for encryption schemes. A simple command-line tool git-secret can eliminate the hassle by giving teams the ability to reveal and hide their important files using secure methods, so development can be efficient and safe.

The Case for Keys

The need for encryption and the private/public key sets that come with it has increased with the uptake of connected devices. Other secret files that can help the development team might also be really handy to have right in the project repo. Previous news stories have shown that even though teams might host private repos on Github or GitLab, the files within may not be safe from hackers and other bad agents. So how can teams balance ease of development and security? That’s where git-secret comes in.

Using git-secret

This command-line tool can be installed manually or via packages for Linux, and on Mac, it’s as simple as a homebrew installation:

brew install git-secret

Windows users can get all of the same functionality by using the Windows Subsystem for Linux.

Setting Up the Project and Team

git-secret can be added to either existing project repos, or brought in right at the start. As the individual setting up the project repo, one just needs to have their own GPG RSA key-pair created once they’ve installed git-secret. With that done, the git-secret repo can be generated inside the project repository with git secret init. Running that command will create the .gitsecret/ folder. All contents of this folder can be checked into the repo except random_seed which should be placed in the .gitignore folder. Then the first user may be added to the git-secret keyring by running:

git secret tell [email protected]

where [email protected] is the email used to generate your GPG RSA key-pair.

To add others from the project to the git-secret keyring, have them first create their own GPG RSA key-pair and send you their public key file. Import that public key to your own GPG setup with:

gpg --import KEY_NAME.txt

Now that individual may be added to the git-secret repo by running:

git secret tell [email protected]

where [email protected] is the email which they created their key-pair with. Though this is being described as if there were one git-secret czar for the project, it should be noted that anybody can add others and themselves to the secret repo for a project. This way there are no worries if the person who does the initial project setup wins the lottery and is never seen again! It does pose a security risk that anybody can add themselves to the secret repo, so to avoid this a server-side security policy can be put in place with the pre-receive hook for the repo. This removes the risk of somebody gaining access to a private repo and adding unexpected keys to the secrets keyring.

Adding Secret Files to the Project Repo

Adding and hiding your secret files only takes three commands once the project and team members are set up. First, all of the secret files must be added to .gitignore. This prevents accidentally checking in the secret files unintentionally, git-secret will also not run without them in there. Second, run:

git secret add <filename(s)...>

to add the files to the secret repository.

The newly added files can then be hidden with:

git secret hide

With that complete, the newly added and encrypted files can be committed to the project repo safely. Users pulling them down who have been added to the secret repository can decrypt them with:

git secret reveal

If users created their GPG key-pairs using a password, they will be prompted to enter it upon using the reveal command. With that complete, the secret files are ready to use! Users will notice in the case of key files required to compile a project, that simply pulling the repo down will not work as those secret files are still encrypted. The project will only build once the reveal command has been executed.


git-secret is one of the great command-line tools out there to make embedded development smoother with distributed team members. Needing encryption keys and other secret files for an embedded project is commonplace, so having a tool like git-secret to quickly add and encrypt those files is…key. 😉 More documentation, additional features, and some examples of GPG key usage can be found at Happy developing!

And if you have questions about an embedded project you’re working on, Dojo Five can help you with all aspects of your devops for embedded journey! We are always happy to hear about cool projects or interesting problems to solve, so don’t hesitate to reach out and chat with us on LinkedIn or through email!