Keruspe's blag


Various free software hacking stuff

Manage you critical configuration files with git

by Marc-Antoine Perennou on January 21, 2013

Tagged as: sysadmin, git.

A few months ago, I decided to track my configuration files using git, which I use for pretty much everything now.

The problem I had to face is that some of them contain passwords, so I couldn’t let them as is.

Setting up the test environment

Ok, we now have a remote repository in ~/tmp/test.git and a working directory in ~/tmp/test

Configuring the working directory to be “password-safe”

Ok, what’s going on there?

I’m creating a filter which I call “password”. A filter consist of two functions:

* clean is called on each file when you're committing, before creating the git objects corresponding to your commit.
* smudge is called when you checkout, each time git is recreating your working directory from the git objects.

You can note that this is not an in-place edition with sed, since I did not add the -i argument, these commands are called during a piping process, not directly on files.

I then create a .git/info/attributes file, in which I tell git to use my brand new “filter” password for the file myconf.conf. You can use any pattern that git understands here, and can obviously add multiple lines.


Let’s now create the myconf.conf file we mentioned earlier, let’s push it to the remote repository, and clone it from anywhere else, to see the result.

As you can see, in my ~/tmp/test working directory, where I have my filter set up, nothing has changed at all, whereas in the brand new clone ~/tmp/test2 (and thus, in the server), all my passwords are masked and are not accessible. This way, you can track your configuration files using git and sharing it with other without even thinking of your passwords, as long as everything is in your filter.