0

I am using developing the application using Spring Boot, there are some secret keys has to be added to the files but while committing and pushing the file to Git it must not be visible to the public.

As those keys in the files need to be secure, how to provide the security or any encryption to those files??

HARISH
  • 193
  • 4
  • 14
  • First thing would be not pushing them to a public repo. – Sami Kuhmonen May 23 '18 at 07:16
  • Don't put them in the files you're pushing to git, provide them via e.g. environment variables. – jonrsharpe May 23 '18 at 07:16
  • Possible duplicate of [How can I save my secret keys and password securely in my version control system?](https://stackoverflow.com/questions/11575398/how-can-i-save-my-secret-keys-and-password-securely-in-my-version-control-system) – phd May 23 '18 at 07:40

2 Answers2

1

As mentioned, don't push these files to a public repo, or any repo where you think other developers on the team should not have access.

You can easily ensure these files don't somehow get committed by using a .gitignore file:

gitignore - Specifies intentionally untracked files to ignore

See: .gitignore documentation

Here is a collection of useful .gitignore configurations: A collection of useful .gitignore templates

Rather than using encryption, it would be better to use a directory and repo structure as follows:

Project directory: All project files, no secrets.

Secrets directory: Secrets only.

Project repo: Public repository.

Secrets repo: Private repository giving access to trusted developers.

Then within your project you simply reference the necessary secrets in the secrets directory.

If you do decide to use GPG encryption (not recommended as then you have to remember not to by mistake push an un-encrypted file), you can use a basic symmetric cipher. On a Unix machine, install gpg and then use the following terminal command - it will request a password and generate an encrypted .gpg file.

-c, --symmetric encryption only with symmetric cipher

gpg -c secrets.txt
Benjamin Scholtz
  • 823
  • 6
  • 15
  • .gitignore will stop from pushing it to the repository. But I want to push it to repository but that should be able to view by the masters or some particular persons . It must not be visible to the Git public. – HARISH May 23 '18 at 07:29
  • You could use something like gpg to encrypt the file with a password - your "masters" would then need that password and have to decrypt it on the other side when running builds etc. If that works for you then you can do that. Alternatively keep a private repo with all secret keys from a separate directory to the project build, as well as the public project repo without any keys - that's what I'd recommend. – Benjamin Scholtz May 23 '18 at 07:38
  • Can u please provide me an example related to this. – HARISH May 23 '18 at 08:44
  • See above answer. – Benjamin Scholtz May 23 '18 at 09:32
0

You should save that keys as an environment variables.

How to store and retrieve that values will depend on the tools you used. In your case, I think Spring framework can do really.

Hope you get the logic and can find out how to achieve that in Spring or server that you used.

Ye Win
  • 2,020
  • 14
  • 21