Store Git Credentials Encrypted

Reading Time: 3 minutes

Hey folks in this blog post we would be looking over how we can store our git credentials in an encrypted format over linux remote servers, let’s first quickly have a look why we want to do it and what git provide us with as options.

Git credentials helpers

So git provide many types of credential helpers like

Store

The first and most basic type credential helper the syntax to use it is

git config --global credential.helper store

Replace --global with --local, if you wanna do it for a single repository, but command with flag --global could run from any directory where is the --local shall be for run from a git repository, after you have to perform a push or a pull to the remote repository that would be the last time it will ask you the password and as credential helper is set to store it will store them, this approach would save your credentials in a file in your home directory with name .git-credentials in plain text and that’s not good if you are working on a multiuser environment.

Cache

Git also provide us with a cache type of credential helper which will ask for you password one time and will store it for some time as configured and will not ask again for the password untill that timeout ends, after that it will again ask for password and when it comes to automate things on remote server you may not want to use this.

These were the to common and easy methods provided by git to store your credentials, there are couple of more but some of them are OS based and you can find them here, also you can create your own custom credential helper git also provide interface for that you can find it here

There are two more ways using which we can store the credentials in encrypted format they are

1. gnome-keyring – is now deprecated.

2. libsecret – using this I faced an error that could not be solved as it needs to have a x11 display connected to the machine which we can’t have in case of remote server over ssh, but if you wanna setup it on your local you can do something like this.

Netrc

Netrc is also one of the credential helpers for git that works for both Linux and Windows systems, but it also saves the credentials in plain text format

After much googling and looking closely to credential helper mentioned above I came across this answer on stackoverflow but it did not worked as expected as there was no netrc script in /usr/share/doc/git/contrib/credential/netrc, but I understood how git credential helper works so I tweaked the things and got it working and now let’s look at the steps I followed to make it work. If you couldn’t find netrc script in the directory you can download it here .

Here are the steps to setup this:
1. Install gpg if not already installed
2. Generate a new key using gpg --key-gen, enter the details name and email these will be required later when we encrypt our credentials file using this key, make sure to put a passphrase to the key
3. Make a file that confirms to the following format
machine github.com

login <user-name>

password <password>

protocol https

4. Save this file as credentials, now encrypt it using

gpg --encrypt --trust-model always credentials

it will create a file credentials.gpg as output, now you can delete the file credentials

5. Now make a script with the following content

/path/to_netrc_script/netrc -f /path/to/credentials.gpg get

lets name this file as credential-helperso now as we have saved the command in file credential-helper to run the script with appropriate flags, we just need to point our credential helper to credential-helper script using 

git config --global credential.helper /absolute-path/to/credential-helper

Now git will try to get credentials from this helper and would use them for every push/pull/clone from the above machine.
If you get error public key decryption failed: Inappropriate ioctl for device then

cat export GPG_TTY=$(tty) >> ~/.bashrc

So that’s all for this time feel free to drop a comment or suggestions, happy coding 🙂

References:

https://git-scm.com/docs/gitcredentials

https://stackoverflow.com/a/18362082/7894074

 


knoldus-advt-sticker

Written by 

Shubham Verma is a software consultant. He likes to explore new technologies and trends in the IT world. Shubham is familiar with programming languages such as Java, Scala, C, C++, HTML, Javascript and he is currently working on reactive technologies like Scala, Akka , spark and Kafka. His hobbies includes playing computer games and watching hollywood movies.

Knoldus Pune Careers - Hiring Freshers

Get a head start on your career at Knoldus. Join us!