Plural reimplements git-crypt in its management of secret data within git. This provides transparent file access to users with the repo's AES key, along with full support for tooling like local diffs, while still providing full obfuscation of secret data when pushed to remote.
The encryption key is automatically generated by Plural and stored in Plural's config directory ~/.plural. We provide commands for importing/exporting the key, as well as a mechanism for sharing the repo with multiple users using the successor to PGP, age.
Sharing a Plural Git Repository
Let's consider a case where Alice wants to share her repository with a teammate Bob. She wants to use our managed age encryption to do that fully securely. There are three steps to this.
Register a public key
First, Alice and Bob both need to register age keypairs with plural. To do that register, they should both run this command on their current machine:
plural crypto setup-keys --name <name-for-key-pair>
This will generate a new keypair and automatically register the public key with the Plural API. You should be able to see it listed here in our web app and the keypair will be stored in ~/.plural/identity.
Share the repository
To share a repo, Alice will run the following command on her already decrypted repo:
plural crypto share --email <email1> --email <email2>
Info:
--email refers to a user's email associated with their Plural account
This will do a few things:
- create a base identity to encrypt the repo's current AES key and store it in a git-ignored place under
${REPO_ROOT}/.plural-crypt. - register all the users who have access in a yaml file under
${REPO_ROOT}/.plural-crypt - encrypt the file using all this information and store it under
${REPO_ROOT}/.plural-crypt
If you have the Plural Console deployed, run:
plural build --only console plural deploy --commit "set up encryption"
Regardless, whether the console is installed or not, you should be sure the files written locally were pushed upstream, which can also be done with:
git add . git commit -m "set up age encryption" git push
Bob Decrypts the Repository
Now that the keypairs are registered, and repo encryption has moved to using age, Bob should be able to freely decrypt the repo, which is done simply by:
git clone <your-git-url> plural crpyto init plural crypto unlock
Helpful Hints
- Encryption keys are stored locally or in plural's keybackups, so if new teammate gets a new machine, you'll likely need to do this process again for that teammate.
- You can also share encryption in a more dirty way using
plural crypto exportandplural crypto import