Secret Management
Plural reimplements git-crypt in its management of secret data within git. This provides transparent file access to users with the repo's AES key, along with full support for tooling like diffs locally, while still providing full obfuscation of secret data when pushed to remote.
The encryption key is automatically generated by plural and stored in plural's config directory ~/.plural. We provide commands for importing/exporting the key, in addition we have a mechanism for sharing the repo with multiple users using the successor to PGP, age.

Sharing a repo

To share an encrypted plural repo, there are two steps:
  • Register an age public key with plural
  • Share the repo with a list of emails for plural users with registered keys

Registering a public key

To register a key for your current machine, run:
plural crypto setup-keys --name <name-for-key-pair>
This will generate a new age keypair, and automatically register the public key with the plural api. You should be able to see it listed here and the keypair will be stored in ~/.plural/identity

Share a repo

To share a repo, simply run:
plural crypto share --email <email1> --email <email2>
This will do a few things:
  • create a base age identity to encrypt the repo's current aes key and store it in a gitignored place under ${REPO_ROOT}/.plural-crypt.
  • register all the users who have access in a yaml file under ${REPO_ROOT}/.plural-crypt
  • age encrypt the file using all this information and store it under ${REPO_ROOT}/.plural-crypt
If you have the plural console deployed, it's also recommended you run:
plural build --only console
plural deploy
git add . && git commit -m "set up age"
git push
to ensure it now uses age to manage its encryption key.

Cloning a shared repo

If you're cloning a repo that's just been shared, you'll need to initialize plural cryptography locally. Fortunately, this is all done via:
plural crypto init
plural crypto unlock