Open in app

Sign in

Write

Sign in

Storing git-crypt Key In AWS Secrets Manager

Vinayak Pandey
2 min readMay 30, 2024

--

Step 1: Convert the binary key to base64 encoded text using following Python script

import base64

# Path to the git-crypt key file
key_file_path = '/tmp/gitcrypt.key'

# Read the binary git-crypt key
with open(key_file_path, 'rb') as binary_file:
    binary_data = binary_file.read()

# Encode the binary data to Base64
base64_encoded_data = base64.b64encode(binary_data).decode('utf-8')

# Path to the output text file
output_text_file_path = '/tmp/gitcrypt.txt'

# Write the Base64 encoded data to a text file
with open(output_text_file_path, 'w') as text_file:
    text_file.write(base64_encoded_data)

print("git-crypt key has been converted to text and saved.")

Step 2: Create a secret to store the base64 encoded text

aws secretsmanager create-secret --name MyTestSecret --region ap-southeast-1 --secret-string file:///tmp/gitcrypt.txt

Step 3: Now you can fetch the base64 encoded text from secret manager using following command.

aws secretsmanager get-secret-value --secret-id MyTestSecret --region ap-southeast-1 --query SecretString --output text > /tmp/secret.txt

Step 4: Convert the base64 encoded text to binary key using following Python script

import base64

# Path to the input text file (Base64 encoded)
input_text_file_path = '/tmp/secret.txt'

# Read the Base64 encoded text
with open(input_text_file_path, 'r') as text_file:
    base64_encoded_data = text_file.read()

# Decode the Base64 string back to binary data
binary_data = base64.b64decode(base64_encoded_data)

# Path to the output binary key file
output_key_file_path = '/tmp/git-crypt-key'

# Write the binary data to the key file
with open(output_key_file_path, 'wb') as binary_file:
    binary_file.write(binary_data)

print("Text has been converted back to git-crypt key and saved.")

or Shell script

#!/bin/bash

# Input and output file paths
INPUT_TEXT_FILE="/tmp/secret.txt"
OUTPUT_KEY_FILE="/tmp/git-crypt-key"

# Check if input file exists
if [ ! -f "$INPUT_TEXT_FILE" ]; then
    echo "Input file not found!"
    exit 1
fi

# Read the Base64 encoded text from the input file
BASE64_ENCODED_DATA=$(cat "$INPUT_TEXT_FILE")

# Decode the Base64 encoded data and write to the output binary file
echo "$BASE64_ENCODED_DATA" | base64 --decode > "$OUTPUT_KEY_FILE" # or echo "$BASE64_ENCODED_DATA" | base64 -d > "$OUTPUT_KEY_FILE"

echo "Base64 text has been converted back to git-crypt key and saved."

Now you can use the key to lock/unlock secrets

git-crypt unlock /tmp/git-crypt-key
AWS

--

--

Vinayak Pandey

Written by Vinayak Pandey

435 Followers

Experienced Cloud Engineer with a knack of automation. Linkedin profile: https://www.linkedin.com/in/vinayakpandeyit/

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams