OT - A quick post on using gpg to manage github in Linux20 Apr 2017
After being used to OSX Keychains in my old mac, I wanted a similar functionality on my Linux laptop. Being prompted each time to login, while interacting with github for instance was annoying. Searching the web, led me to git-credential-store. I was not too happy with the fact that credentials would be stored in clear text, locally, indefinitely. I came across this stackoverflow post that I adapted for Linux. The concept is as follows:
- Use a .netrc file to store your credentials. This follows the file format for netrc
- Encrypt this file, using GNU Privacy Guard
- Download and add the git credential helper script to your path.
- Update git config to tell it to use the encrypted credentials file
STEP 1: The .netrc file
We save this in our home directory - this is obviously clear-text. We will now encrypt the file and delete the clear-text one
STEP 2: Encrypt the .netrc file
GNU Privacy Guard, was new to me. Solving this specific problem also taught me about how to use GPG in general to sign and encrypt any piece of data that needs to be exchanged securely. The basic premise is we create a public/private key pair, similar to SSH. This is stored in a “key-ring” on our computer. We can potentially add other trusted public-keys to this key-ring and decrypt/verify files that are signed by the sender’s private key. For our example, here is how I did it:
GENERATE THE KEY PAIRS
After moving the mouse around for a bit:
You can see the keyring :
Now we can use our private key to encrypt the .netrc file
(I had to specify a recipient. In our case since github was going to use my email id as the ‘end-user’ to decrypt the .netrc file, I specified it as the recipient)
At this point, you may delete your clear text .netrc and will be left with a .netrc.gpg file
STEP 3: Download and add the git credential helper:
This perl script is
used by git to unencrypt the .netrc.gpg file. So you will need to make
it executable and store it in a directory in your
curl -o /home/ajay/bin/git-credential-netrc https://raw.github.com/git/git/master/contrib/credential/netrc/git-credential-netrc
STEP 4: Tell git about the encrypted credentials
Finally, you use the git config command to inform git to use the credential helper. This is when you also point it to the location of the newly encrypted .netrc.gpg file.
git config --local credential.helper "netrc -f /home/ajay/.netrc.gpg -v -d"
( The -v and -d are diagnostic flags - verbose/debug. This helps you track issues if you run into any. )
If you happen to follow these steps and if you had any questions, I would be happy to help and hopefully better my understanding as well.