How do you handle sensitive data in a public git repo?

orlp picture orlp · Mar 4, 2012 · Viewed 7.7k times · Source

How do you handle sensitive data like secret API keys, hash salts when you keep your code in a public git repo?

Obviously keeping the sensitive data in the code will compromise it.

Another solution is to not hardcode the secret info in the code, but store it in a stand-alone file and gitignore the file. This has the disadvantage that when someone pulls your code for the first time the secret information will be missing and it won't run out of the box. This can be accounted for by writing a "initialize if missing" routine in the code, but then you're letting the git system slip into your code, which is IMO not a good thing.

And another solution is making a "default" secret information file, commit it at the start of the project and then use your own information without committing it. But this may make git complain that you have un-commited changes when you pull.

So what is the common way to handle this?

Answer

lisachenko picture lisachenko · Nov 15, 2012

Try to use .gitattributes for path with configured encryption/decryption filter:

*secure.yml filter=crypt

And in the .git/config add the configuration for crypt filter:

[filter "crypt"]
    clean = openssl enc ...
    smudge = openssl enc -d ...
    required