Plural reimplements git-crypt in its management of secret data within git. This provides transparent file access to users with the repo's AES key, along with full support for tooling like local diffs, while still providing full obfuscation of secret data when pushed to remote.
The encryption key is automatically generated by Plural and stored in Plural's config directory ~/.plural. We provide commands for importing/exporting the key, as well as a mechanism for sharing the repo with multiple users using the successor to PGP, age.
Sharing a Plural Git Repository
Register a public key
To register a key for your current machine, run:
plural crypto setup-keys --name <name-for-key-pair>
This will generate a new keypair and automatically register the public key with the Plural API. You should be able to see it listed here in our web app and the keypair will be stored in ~/.plural/identity.
Share the repository
To share a repo, use the following command:
plural crypto share --email <email1> --email <email2>
Info:
--email refers to a user's email associated with their Plural account
This will do a few things:
- create a base identity to encrypt the repo's current AES key and store it in a git-ignored place under
${REPO_ROOT}/.plural-crypt. - register all the users who have access in a yaml file under
${REPO_ROOT}/.plural-crypt - encrypt the file using all this information and store it under
${REPO_ROOT}/.plural-crypt
If you have the Plural Console deployed, run:
plural build --only console plural deploy git add . && git commit -m "set up encryption" git push