- what? secrets in github for a particular audicence; ie. your org
- why? secrets need revision control; and circle of trust should be transparent
- how? leverage GPG and Git and a bit of consistent social behavior
requirements:
- gpg2 (via brew on macosx) -but doc here simply refers to
gpg
- jut manager decides emp gets creds access
- tells emp to generate new GPG keypair
alice%> gpg --gen-key
- user is prompted for name, then email, then comment
- we use format
First Last (gitUserName) <emp@example.com>where comment is git username - now save key according to git username
gpg --armor --export alice@example.com > pubkeys/alice.asc
- emp now adds key to repo on new branch and creates a PR
alice%> git checkout -b new-alice-key && git add pubkeys/alice.pub
alice%> git add pubkeys/alice.pub && git checkin -m 'alice pubkey' keys/
alice%> git push origin new-alice-key
- Alice create the PR; Manager merges PR
- Manager pulls changes and updates secrets
boss%> git pull
boss%> ./skt encode
boss%> git commit -m 'add alice' creds.tgz
boss%> git push origin master
- alice is now in the circle of trust
alice%> git pull && ./skt decode
- decode asks for her password to decrypt, and then untars creds dir
boss%> git checkout master && git pull && cd secrets
boss%> git rm keys/alice.pub
boss%> ./skt encode
boss%> git commit -m 'remove alice' creds.tgz
boss%> git push origin master