Merge pull request #163 from ucladevx/ryan-gpg

Ryan gpg keys
ucladevx · Apr 9, 2020 · 747a4ff · 747a4ff
2 parents 4975600 + 1fc167c
commit 747a4ff
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 5 deletions.
diff --git a/.git-crypt/keys/default/0/2317490C9F5D61A74D17418DDA7F8E799C929B99.gpg b/.git-crypt/keys/default/0/2317490C9F5D61A74D17418DDA7F8E799C929B99.gpg
diff --git a/.git-crypt/keys/default/0/35D3ACA5459312DA2C815F8A234F3767A1F73329.gpg b/.git-crypt/keys/default/0/35D3ACA5459312DA2C815F8A234F3767A1F73329.gpg
diff --git a/README.md b/README.md
@@ -26,8 +26,29 @@ Hosted on GitHub Pages at http://ucladevx.com/BMaps-Backend/
 
 ## Repo Breakdown
 
-- Database config/data in `/database`
-- Backend source code in `src/`
-- tkinter GUIs in `tkinter/`
-- Autodocumentation in `docs/`
-- Beautiful Soup Scraping in `scraping/` 
+- Database config/data is in `/database`
+- Backend source code is in `src/`
+- tkinter GUIs is in `tkinter/`
+- Autodocumentation is in `docs/`
+- Beautiful Soup Scraping is in `scraping/` 
+
+## Using git crypt to get access to .env files
+
+- Generate a rsa2048 gpg key using the gpg tool
+  - `gpg full-generate-key`
+  - Make sure to record your passphrase in a secure location, and also to generate a revocation certificate for the key in case it gets compromised or lost
+    - `gpg --output revocation-cert.asc --gen-revoke <PUB-KEY-SIG>`
+- Convey your gpg key through a keyfile securely to a project member, either using a pub key server, or through another clandestine channel
+  - To generate the key file:
+    - `gpg --output <YOUR_NAME>.gpg --export <PUB-KEY-SIG>`
+- The team member will then add your pub-key to their gpg key-chain using 
+  - `gpg --import <keyfile>`
+  - Note that keyfile in this step is the same as the <YOUR_NAME>.gpg file generated in the previous step
+  - They may also choose to sign the key if they trust you.
+- Finally, the team member will run:
+  - `git-crypt --add-gpg-user <team member to be added's email or any other identifier of key>`
+  - Then they must push their changes (adding your pub key) made to the repository to the remote, and those changes pulled by you
+  - Note that their changes will not appear when `git status` is run, so it may be necessary to make some other change in the repository to successfully push the newly added pub key within git crypt
+- Finally, once you have the updated repository they pushed, run
+  - `git-crypt unlock`
+  - you will not need to run git-crypt unlock again, since git-crypt will automatically encrypt your .envs as you push them within this repo, and decrypt them as they are pulled from the remote. GLHF.