Hey folks in this blog post we would be looking over how we can store our git credentials in an encrypted format over linux remote servers, let’s first quickly have a look why we want to do it and what git provide us with as options.
Git credentials helpers
So git provide many types of credential helpers like
The first and most basic type credential helper the syntax to use it is
git config --global credential.helper store
--local, if you wanna do it for a single repository, but command with flag
--global could run from any directory where is the
--local shall be for run from a git repository, after you have to perform a push or a pull to the remote repository that would be the last time it will ask you the password and as credential helper is set to store it will store them, this approach would save your credentials in a file in your home directory with name .git-credentials in plain text and that’s not good if you are working on a multiuser environment.
Git also provide us with a cache type of credential helper which will ask for you password one time and will store it for some time as configured and will not ask again for the password untill that timeout ends, after that it will again ask for password and when it comes to automate things on remote server you may not want to use this.
These were the to common and easy methods provided by git to store your credentials, there are couple of more but some of them are OS based and you can find them here, also you can create your own custom credential helper git also provide interface for that you can find it here
There are two more ways using which we can store the credentials in encrypted format they are
1. gnome-keyring – is now deprecated.
2. libsecret – using this I faced an error that could not be solved as it needs to have a x11 display connected to the machine which we can’t have in case of remote server over ssh, but if you wanna setup it on your local you can do something like this.
Netrc is also one of the credential helpers for git that works for both Linux and Windows systems, but it also saves the credentials in plain text format
After much googling and looking closely to credential helper mentioned above I came across this answer on stackoverflow but it did not worked as expected as there was no netrc script in /usr/share/doc/git/contrib/credential/netrc, but I understood how git credential helper works so I tweaked the things and got it working and now let’s look at the steps I followed to make it work. If you couldn’t find netrc script in the directory you can download it here .
Here are the steps to setup this:
gpg if not already installed
2. Generate a new key using
gpg --key-gen, enter the details name and email these will be required later when we encrypt our credentials file using this key, make sure to put a passphrase to the key
3. Make a file that confirms to the following format
4. Save this file as credentials, now encrypt it using
gpg --encrypt --trust-model always credentials
it will create a file
credentials.gpg as output, now you can delete the file credentials
5. Now make a script with the following content
/path/to_netrc_script/netrc -f /path/to/credentials.gpg get
lets name this file as
credential-helper, so now as we have saved the command in file
credential-helper to run the script with appropriate flags, we just need to point our credential helper to credential-helper script using
git config --global credential.helper /absolute-path/to/credential-helper
Now git will try to get credentials from this helper and would use them for every push/pull/clone from the above machine.
If you get error public key decryption failed: Inappropriate ioctl for device then
cat export GPG_TTY=$(tty) >> ~/.bashrc
So that’s all for this time feel free to drop a comment or suggestions, happy coding 🙂