git sensitive data
TRANSCRIPT
Git hardly forgets
Ombu Labs, January 2016
The Problem
$ echo "secret data" > id_rsa
$ git add id_rsa
$ git commit -m "bad commit"
$ git rm id_rsa
$ git show d6ec68dd6ec68d - bad commitdiff --git a/id_rsa b/id_rsasecret data
The Data remains
$ git filter-branch --tree-filter 'rm -f id_rsa' HEADRewrite f5741346a28c65097b2a4e1ac9d9f31ca99ce43e (4/4)Ref 'refs/heads/master' was rewritten
$ git log0849436 - (HEAD -> master) remove id_rsa file1ec887c - another file7108ca8 - bad commit474db38 - initial commit
$ git show 7108ca87108ca8 - bad commit
Rewrite the history
$ git show d6ec68dd6ec68d - bad commitsecret data
Rewrite the history
Seems that the history still exists …
$ git push
$ git clone [email protected]:git-demo.git
$ git show d6ec68dfatal: ambiguous argument 'd6ec68d': unknown revision or path not in the working tree.
Local vs Remote
$ git filter-branch --tree-filter 'git ls-files -z "*.rb" | xargs -0 perl -p -i -e "s#(12345)#REMOVED#g"' -- --allRewrite 051fdf0ac67128a918dd703e26df5737cf6f39da (8/8)...Ref 'refs/remotes/origin/awesome-feature' was rewrittenRef 'refs/remotes/origin/master' was rewritten
$ git gc --aggressive —prune$ git push -f
Filter Passwords
$ git logbba8283 - replace api key with env var7152c92 - add api key to demo.rb
$ git show 7152c927152c92 - add api key to demo.rb
+API_KEY=REMOVED
The Result
Safest Solution
• change all current Keys & Passwords
• rm -rf .git/
Thank you!
Questions?