Document secrets

[cogat]

gregturner [3:34 PM]
What is the deal with .secret files? Is it documented somewhere? (edited)

tailee [3:36 PM]

django-icekit/icekit/bin/help.sh

Lines 67 to 80 in 913a8ea

	setup-git-secret.sh [COMMAND]
	Initialise git-secret, generate a GPG encryption key, configure
	git-secret, decrypt all known secrets, and execute a command.
	Quick start:
	$ git secret add file # Add 'file' as a secret to be encrypted
	$ git secret hide # Encrypt all secrets
	$ git secret reveal # Decrypt all secrets
	It is recommended to add 'git secret hide' to your pre-commit hook, so
	you won't miss any changes.
	For more information, see: http://sobolevn.github.io/git-secret/

GitHub
ic-labs/django-icekit
django-icekit - A modular content CMS by Interaction Consortium.

[3:37]
it stores secrets (environment variables, exported by the entrypoint script) encrypted so we can commit them and also so we can avoid duplicating them in the stack file for every service

[3:38]
we tried an alternative which uses git attributes to transparently encrypt/decrypt on checkout which worked amazingly well and let us see diffs etc., but some git clients dont support git attributes and if someone accidentally commits in one of those clients, we could easily accidentally commit the unencrypted version of the file... git-secret stores encrypted version in a *.secret` file and the non-encrypted version has the suffix removed and is ignored by git, making such an accident less likely

[3:41]
to use, you should put the correct passphrase in GPG_PASSPHRASE in .env.local and it should decrypt automatically when you run entrypoint.sh via go.sh or docker... then use git secret add ... to start tracking a new file, git secret hide to re-encrypt all files, and git secret reveal to decrypt all the tracked files... in a new project, the first time setup-git-secret.sh runs it will auto generate a random passphrase and print it and stage the relevant files to be committed... we should put that in 1password for each project