RakeGitCrypt

Rake tasks for interacting with git-crypt.

Installation

Add this line to your application's Gemfile:

gem 'rake_git_crypt'

And then execute:

$ bundle

Or install it yourself as:

$ gem install rake_git_crypt

Usage

TODO: Write docs.

Unlocking git-crypt with an encrypted GPG key

The unlock_with_encrypted_gpg_key task unlocks git-crypt using a passphrase-encrypted GPG key, useful in CI environments. It decrypts an OpenSSL-encrypted GPG private key, imports it into GPG and runs git-crypt unlock. The passphrase is read from an environment variable so that it never appears on the process command line.

By default the key is imported into a temporary GPG home directory (created under the GPG work directory) which is used for both the import and the git-crypt unlock, so the private key never lands in the default keyring and does not persist after the task completes. A specific home directory can be provided via gpg_home_directory, in which case it is used as-is.

require 'rake_git_crypt'

RakeGitCrypt::Tasks::UnlockWithEncryptedGPGKey.define(
  encrypted_key_path: '.github/gpg.private.enc',
  passphrase_env_var_name: 'ENCRYPTION_PASSPHRASE'
)

Both parameters are optional and default to the values shown above. The task is also included in the standard task set, where the same settings can be provided via unlock_with_encrypted_gpg_key_encrypted_key_path and unlock_with_encrypted_gpg_key_passphrase_env_var_name, with the GPG home and work directories controlled by the shared gpg_home_directory and gpg_work_directory settings.

The passphrase is expected to be provided as a secret (for example the ENCRYPTION_PASSPHRASE GitHub Actions or Dependabot secret) and exposed to the step that runs the task:

ENCRYPTION_PASSPHRASE="..." bundle exec rake unlock_with_encrypted_gpg_key

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Managing CircleCI keys

To encrypt a GPG key for use by CircleCI:

openssl aes-256-cbc \
  -e \
  -md sha1 \
  -in ./config/secrets/ci/gpg.private \
  -out ./.circleci/gpg.private.enc \
  -k "<passphrase>"

To check decryption is working correctly:

openssl aes-256-cbc \
  -d \
  -md sha1 \
  -in ./.circleci/gpg.private.enc \
  -k "<passphrase>"

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/infrablocks/rake_git_crypt. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.

License

The gem is available as open source under the terms of the MIT License.