DEV Community

Cover image for Managing and sharing secrets in a Git repository with Keybase
Jose Paradas
Jose Paradas

Posted on

Managing and sharing secrets in a Git repository with Keybase

How often do we hesitate to find a simple way to share our project's secrets with our teammates when starting a project?

I was playing with one of my pet projects a couple of weeks ago. After moving my files from my old computer to a new one, I often copied and pasted the secret ignored files on the project repository.

I started to feel frustrated because, at that time, I had yet to figure out a simple way to store those secrets.

I thought about setting up a Vault on my lab cluster, but then I realized that it would be too much effort and resources for something that could be simpler.

So it was when I turned my eyes to the left-top corner of my computer and saw the icon of Keybase.

What is Keybase? It is a social network where the profiles are associated with encryption keys. Those profiles can be verified using several integrations from a Twitter, Facebook or GitHub account to your bitcoin wallet. So you can use the public key of one of the profiles you follow to encrypt a letter or a file, and just that person can decrypt it. You can read more about it at https://keybase.io/.

Keybase Installation

First, you will need an account and download the client, follow the instructions according to your operating system https://keybase.io/download.

Once you have everything settled, verify you also have the keybase CLI in your Terminal by running the following:

$ keybase whoaim

The output for this should be your username if everything goes well.

So now you can become a super secret agent and send secret messages to your friends. 👀 🔍

You can encrypt a message with your account and then decrypting.

$ keybase encrypt <username> -m "Super secret message" > secret_message.encrypted

If you print the content of this file will see something like this:

BEGIN KEYBASE SALTPACK ENCRYPTED MESSAGE. kiVagqKWSHjJD0o 7vgiSU0z0qOoRIk SKJopDrUpJ04V3V QILGzzJshZUuGT3 lmTj9QxHHdbXk4H W5yIyiNKwsQ0wgy HXSroCeg0tTnILC OYz6l8uffBXoVYR E1BDLvI6ZiOcHIN DvIKqsoCS3k0SsI E2eidkVVbVNgK4e 4G7U0bzRaxuBT2x r8wwQElXtDvEEsP 7rhtU3QXnrP8GR4 KJFZthGSM3bwUWb PwBbD1CITkOLoC4 13Atr0lgOrb6pZS D7kw4ZOEOArZ0ix 83glErB2Qbmgxfy GetX2G37rFM9YDG SAf4dbNkuNckaTU jxDjldRtpqV67MY 5DLKTit1765sEf5 KwBQvHfwQjXMZpN YEkGFQhQ3o15av9 eKDy77Ulu3saxln FqeC1rcGgi3YDlC is70NUQerKa124d qCkj5M1Vde6ni3H MCABN1bS0umKBxi H2hHHSw21J5zkJD xhPZ84kgePh2gJj xcfDe296xNlZp71 fNIfDjfOUULiEK8 zIhCWKAF2sF109u Q03Gwwz8njCDsWy UCm0oofbc9mT0ck 16mcNDW1LMgA6UE r6SXFXd12bQ6mZO FS4k7YGJNVVmbpu qyIETydHqvFWsZ2 iULi2tC7B5Mgf7P YGoqTEt3Huh3ZJA 7w7TpARfHUyRbBL aRiMiIANj2EXKrc rulezXpRW45LMEi xRgOW0yT2Yhp2yq dYrirKCXf5i824c 27PnQ9Gj8Xn6Lls st4pEa0TPWnaRDp z1erY226rb49YBM xXsoNbGPSuwxcJS lPhnEaLyFM3ZP2l OpqaOfvphJL7w0b 6Hh779QGK3FtSnL 0Xlfvw5v6IwwAn7 i9CuzQ2AKFffkaT zEtHNcOB71Col4B i1ajNj9o7T4bDu3 H6zyiqJGRh8Y5FM AXrcgvrpY8euDae hyonSqexXtKsSLA u0JiCPbvRmgnZwS PBVa5hdEgSzyjnN eqFFTtEmLfripDD cVBYTvEvzlB8AGF zJDjvewdnAvThJm rdtIkHvfs3HrsFc fmkVGYDPVLL3M42 BFK0mz4rX4eUMx5 d1q3Ygws7EiDBel sGBrLKObRUoP3HT PruZsGOKnb0lMJR KpxEqZCdTnabvbL LK9sHO1QKK6viYl yWerKcUZya52vmy wNXnEpXpuEfsazP alAB8fejsRvk1R7 bZHrsUzGALXDC7A LXamr6RrGaGuF2g pyAkZkQSrwQmcYS AhF9dB6r3rsE8he rlsPTPwUmEz5VpF Xm2KtxJMqO6Wp3L ZZbURaVWQfdw5sF W1VdhYxWnL1db. END KEYBASE SALTPACK ENCRYPTED MESSAGE.
Enter fullscreen mode Exit fullscreen mode

$ keybase decrypt -i secret_message.encrypted

This will show you the initial message you wrote. Now you can encrypt and decrypt your secret files.

The exciting part of this is that if you are part of a team, you can encrypt a message using the team name, and any team member can decrypt the message.

$ keybase encrypt --team <team_name> -m "Super secret message" > secret_message.encrypted

Encrypting all the secrets at one time

I'm lazy enough and have a terrible memory, so I prefer to automatize or create a script that reminds the commands by me.

Assuming that I have a repository with all the secrets ignored, I want to be able to run a command to encrypt all those files at one time. So I have created this bash script for it.

When you run this command, you will find all the files according to a pattern and try to encrypt them using the parameters you pass in the flags.

gif with running the script

image with the result of the script

And that's it. Now you have encrypted files that you can add to your repository commit and share with your team.

Revelling the mystery of the encrypted files

Now you have all those files encrypted and want anyone in your team to be able to decrypt them. But, as I mentioned, I'm too lazy and created another script.

Now we imagine a new team member is cloning the repository and wants to run the project. Instead of waiting until someone copy and paste the env files in an insecure chat conversation, it will need to run this command to generate the secrets from the encrypted files.

gif running revelio script

The NPM packages

Again, I'm too lazy to copy and paste this script into the different places I need to use it. So I created this small library in NPM, hoping someone else found this helpful.

https://www.npmjs.com/package/@jparadasb/charms

If you read until here, thanks and if you have any suggestions or questions, please let me know.

Top comments (0)