You also need version control over secrets.


git-secret is a bash script that extends git to safely track secret files. As of writing this article, it is version 0.5.0-alpha1.

A bash-tool to store your private data inside a git repository.

The basic workflow is as follows:

  1. git secret add: start treating a file as a secret file,
  2. git secret hide: encrypt all the secret files using other members' public GPG keys,
  3. git add, git commit, and git push: add the encrypted files and push them to the repository, and
  4. git pull and git secret reveal: pull the repo with secret files and decrypt the secret files.

Some of the prominent merits of using git-secret are the following.

  1. You can version control secrets.
  2. All the necessary files to build the project are in the git repo.
  3. You can use this method of sharing secret files in any kind of project.

The downside of using git-secret arises from the requirement that all of the contributors to the project have to manage the GPG (The GnuPrivacy Guard) keys of everybody, i.e. each of the N contributors has to manage N GPG keys.

  1. All the members have to create GPG asymmetric keys and share them with the other members.
  2. You have to encrypt secret files using the repo members' public keys so that everybody can decrypt them later.

Side note: GPG keys are different from SSH keys as GPG public keys start with -----BEGIN PGP PUBLIC KEY BLOCK-----.