Use your SSH keys to keep your sensitive data encrypted with your git repository.
- Rust 61.5%
- Nix 38.5%
| nix | ||
| npins | ||
| src | ||
| test_dir | ||
| .envrc | ||
| .gitenv.sample | ||
| .gitignore | ||
| Cargo.lock | ||
| Cargo.toml | ||
| default.nix | ||
| flake.lock | ||
| flake.nix | ||
| LICENSE | ||
| README.md | ||
| shell.nix | ||
git-env
Use your SSH keys to keep your sensitive data encrypted with your git repository.
git-env is a CLI for encrypting and decrypting files in a separate branch of your repository. Simply drop a .gitenv file containing your gitignore'd secrets (with the same format as .gitignore), specify your encryption keys, and a branch containing your archive will be created for you.
You can also push and fetch from your git remote, making it easy to share your secrets with your different machines or even with coworkers!
Under the hood, it uses age for encryption and tar for archiving.
Installation
Cargo
cargo install --locked --git https://github.com/EpicEric/git-env.git
Nix
With npins
npins add github EpicEric git-env -b main
{ ... }:
let
sources = import ./npins;
in {
environment.systemPackages = [
(import sources.git-env { })
];
}
With flakes
{
inputs = {
git-env.url = "github:EpicEric/git-env";
};
outputs =
{
nixpkgs,
git-env,
...
}:
{
nixosConfigurations.my-nixos-host = nixpkgs.lib.nixosSystem {
modules = [
{ pkgs, ... }:
{
environment.systemPackages = [
git-env.packages.${pkgs.stdenv.hostPlatform.system}.default
];
}
];
};
};
}
Usage
echo ".gitenv" >> .gitignore
echo ".env" > .gitenv
echo ".gitenv" >> .gitenv # Optional: Make restore -> save idempotent
git-env save --remote origin --branch gitenv/my-secrets --push -k ~/.ssh/id_ed25519.pub
git-env restore --remote origin --branch gitenv/my-secrets --fetch -i ~/.ssh/id_ed25519
CLI
Saving an archive
$ git-env save --help
Encrypt and backup the files specified by the .gitenv configuration
Usage: git-env save [OPTIONS] --branch <BRANCH>
Options:
-c, --cwdir <DIRECTORY> Path to the git repository
--dry-run Don't make changes, simply print to console
-r, --remote <REMOTE> Which git remote to push to/fetch from [default: origin]
-b, --branch <BRANCH> Which git branch to push to/fetch from
-e, --encrypted-data <FILE> Name of the encrypted archive within the generated git branch [default: gitenv-data]
-m, --commit-message <MESSAGE> Commit message generated by git-env [default: "git-env: save secrets"]
-C, --config <FILE> Path containing the .gitenv configuration [default: .gitenv]
-u, --public-keys-url <URL> Optional URL(s) containing SSH public key(s) to encrypt the archive with
-k, --public-key <FILE> Optional public SSH key(s) to encrypt the archive with
-i, --private-key <FILE> Optional private SSH key(s) to encrypt the archive with
-p, --push Whether git-env should automatically push the encrypted archive to the remote
--force Skip all prompts when creating the archive
-h, --help Print help
Restoring an archive
$ git-env restore --help
Recover and decrypt the data specified by the gitenv archive
Usage: git-env restore [OPTIONS] --branch <BRANCH>
Options:
-c, --cwdir <DIRECTORY> Path to the git repository
--dry-run Don't make changes, simply print to console
-r, --remote <REMOTE> Which git remote to push to/fetch from [default: origin]
-b, --branch <BRANCH> Which git branch to push to/fetch from
-e, --encrypted-data <FILE> Name of the encrypted archive within the generated git branch [default: gitenv-data]
-i, --private-key <FILE> Private SSH key(s) to attempt to decrypt the archive with
-f, --fetch Whether git-env should automatically fetch the encrypted archive from the remote
--force Skip all prompts when unpacking the archive
-h, --help Print help