How to Implement Jenkins CI/CD With Git Crypt

Thumbnail 360

Software applications are typically connected to externalities such as databases, SFTP sites, secured web APIs, etc. We often have to store the secrets used to access these externalities in the code we write and share these secrets with other developers in our team. These secrets can include things such as user IDs, passwords, private key files, or anything else that should not be seen by unauthorized persons. While tgit for windowshe decision to include such secrets in ajenkins software overview coding repository is ogit for windowsften highly debated, there can be some use cases incontinuous integration deployment delivery which this approach may be necessary.

What Is Git Crygithub desktoppt?

git-crypt provides a security mechanisjenkins software downloadm for Git repositories. It allows you to encrypt whatever files you wish within a repgit for windowsository. The encryption keys it uses can then be exported and securely shared amogiteeng other developers, and it can be imported into tools such as Jenkins for testing and deployment.

Getting Started With Git Crypt

To get started with git-crypt,git stash you will need to build it from a source or install it through your operating system's preferred package manager. Once that is done, yocontinuous integration vs deploymentu will need to initialize ygit stashour (existing) repository to wgiteeork with git-crypt:

Plain Text
$ git-crypt init

You then need to tell git-crypt which files it needs to encrypt. Say you have a file containing your secrets in a directory cjenkins software engineeringalled secretgit stashdir and hasjenkins software development the name i-want-this-to-be-private.txt. You would negit for windowsed to cocontinuous integration and deployment toolsnfjenkins software documentationigure a .gitatgit for windowstributes file to tell git-crypt to encrypt this file:

Plain Text
# You can use the standard syntax of .gitattributes to configure this file,
# that could include things like wildcards or other directories.
secretdir/i-want-this-to-be-private.txt filter=git-crypt diff=git-crypt

The .gitattributes file

Once you commit the .gitattributes file, you will neejenkins software testingd to make and save a change to secretdir/i-want-this-to-be-private.txt so that it will need to be committed. Once yogithub loginu have committed the updated version of this file, it will be encrypted for the next developer who clones the repository.

You can use the gigit for windowst-crypt status command to verify that your file has been encrypted:

Another user whogit stash clones the repository and attempts to view the filecontinuous integration deployment delivery without decryptjenkins software overviewing it will see gibberish:

Ongithube way to allowjenkins software download authorized users to work with the rjenkins software overviewepository would be to securely share with them a key file that will give them access. You can export this key with the commandjenkins software tool; justcontinuous integration and deployment ci/cd make sure to not store it in the same directory as your repository:

Plain Text
$ # You can specify any file name or path here.
$ git-crypt export-key ../git-crypt.key

Once another authorized user has the key, hegit stash or shegithub can use it to decrypt the file andgithub desktop use the reposgithubitory:

Plain Text
$ git-crypt unlock ~/git-crypt.key

Now that we have the export kecontinuous integration and deploymenty, how do we integrate it into a Jenkins Pipeline?

How To Use Git Crypt in a Jenkins Pipeline

Ccontinuous integration vs deploymentreating Credenjenkins software downloadtials in Jenkins

  1. Lgithub desktopog into your Jenkins Wjenkins software testingeb UI interface. Typically, this runs on port 8080 of the server on which Jenkins is incontinuous integration and deployment ci/cdstalled.
  2. Within Jenkcontinuous integration and deployment ci/cdins, access the dashboard. Go to "Manage Jenkijenkins software engineeringns.github copilot" Then choose "Cregit stashdentials."
  3. Upload the key you genergithub copilotated previously using the igit stashnterface:
  4. Uscontinuous integration deploymente the addecontinuous integration continuous deploymentd key file in the Jenkins Pipeline. Here "git-crypt-export-key" is the ID given when you add Jenkins credentials.
Plain Text
pipeline {
     agent { 
        node { 
            label 'my-test-node' 
    environment {
        mySecret = credentials("git-crypt-export-key")
    stages { 
        stage("Decrypt the files") {
            steps {
                sh """
                    cd /opt/my-secret-repo
                    git-crypt unlock '$mySecret'

You may get a warningcontinuous integration and deployment tools about data beingjenkins software documentation passed insecurely by using this method.


This article shows us both how to use git-crypt to protect secrets in a Git repository and how to use the keys provided by the same for CD tools such as Jenkgithub copilotins.

Further Reading

  • How to Integrate Your GitHub Repository to Your Jenkins Project
  • Working with PHP, Git, and Azucontinuous integration and deployment toolsre DevOps
  • How to Use Azure DevOps’ Work Items and PHP