如何在我的版本控制系统中安全地保存我的密钥和密码? [英] How can I save my secret keys and password securely in my version control system?
问题描述
但密码 - 像任何其他设置 - 似乎应该被版本化。那么什么是保持密码版本控制的正确方法?
我想像这将涉及保持密码版本的他们自己的秘密设置文件,并且具有加密和版本控制的文件。但什么技术?并且如何正确地做到这一点?有没有更好的方法来完成?
我一般问这个问题,但在我具体的例子中喜欢使用 git 和 github 来存储Django / Python 网站的密钥和密码。
另外,一个理想的解决方案在使用git推/拉时也会做一些神奇的事情 - 例如,如果加密的密码文件更改,运行一个要求输入密码并将其解密的脚本
编辑:为了清楚起见,我 询问在哪里存储生产秘密
自从提出这个问题后,我已经解决了一个解决方案,我在小型团队开发小型应用程序时使用的人。
git-crypt使用GPG在文件的名称与某些模式匹配时透明地加密文件。为了意图,如果您添加到您的 .gitattributes 文件...
*。secret。* filter = git-crypt diff = git-crypt
...然后a文件如 config.secret.json 将始终被推送到具有加密的远程回收站,但在本地文件系统上保持未加密。
如果我要添加一个新的GPG密钥(一个人)到您的备份,可以解密受保护的文件,然后运行 git-crypt add-gpg-user< gpg_user_key> 。这将创建一个新的提交。新用户将能够解密后续提交。
I keep important settings like the hostnames and ports of development and production servers in my version control system. But I know that it's bad practice to keep secrets (like private keys and database passwords) in a VCS repository.
But passwords--like any other setting--seem like they should be versioned. So what is the proper way to keep passwords version controlled?
I imagine it would involve keeping the secrets in their own "secrets settings" file and having that file encrypted and version controlled. But what technologies? And how to do this properly? Is there a better way entirely to go about it?
I ask the question generally, but in my specific instance I would like to store secret keys and passwords for a Django/Python site using git and github.
Also, an ideal solution would do something magical when I push/pull with git--e.g., if the encrypted passwords file changes a script is run which asks for a password and decrypts it into place.
EDIT: For clarity, I am asking about where to store production secrets.
Since asking this question I have settled on a solution, which I use when developing small application with a small team of people.
git-crypt uses GPG to transparently encrypt files when their names match certain patterns. For intance, if you add to your .gitattributes file...
*.secret.* filter=git-crypt diff=git-crypt
...then a file like config.secret.json will always be pushed to remote repos with encryption, but remain unencrypted on your local file system.
If I want to add a new GPG key (a person) to your repo which can decrypt the protected files then run git-crypt add-gpg-user <gpg_user_key>. This creates a new commit. The new user will be able to decrypt subsequent commits.
这篇关于如何在我的版本控制系统中安全地保存我的密钥和密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
