Store it with some scheme like TripleSec https://keybase.io/triplesec/ and put it in a private gist on GitHub, so you'd need three encryption algorithms plus GitHub account security to be broken before anyone can get to it.
You can encrypt them using something like https://github.com/FiloSottile/age and then just store them in git. When you need to access them, just run "age -d .."
If you're paranoid you can use GPG + a smart card like a yubikey, but its all about convenience trade off..
I'm really happy about this. I have private repos for personal information (e.g., tax spreadsheets going back a decade) that I keep synchronized across machines, and have to jump through hoops to get an encrypted authoritative remote source. Right now I do that with an encrypted partition on a private VM.
And, it really sucks that GitHub does not encrypt data at rest:
We do not encrypt repositories on disk because it would not be any more secure: the website and git back-end would need to decrypt the repositories on demand, slowing down response times. Any user with shell access to the file system would have access to the decryption routine, thus negating any security it provides. Therefore, we focus on making our machines and network as secure as possible.
--- SNIP ---
Encrypted disks are now the norm across various cloud providers, as is HTTPS. The crypto overheads are really low, and their benefits significantly outweigh the risks of leaving clear-text data on disks.
Also, defense-in-depth is always worth pursuing. The claim "it would not be any more secure", is so far from true, it's almost insulting to their target audience.
Careful. If you have already committed it, and you ever push the repo to a public GH repo, your key is compromised. Just because some benevolent slacker-attackers on HN aren't sniffing the PSHB event queue, doesn't mean no one is. If you ever send the secret to Github, criminals have it. If you ever committed it, and then you ever push, then you've sent it to GitHub.
So yes, add the file to gitignore and git rm it, but also invalidate your keys and get new ones.
An .envrc file with https://pypi.org/project/keyring/#using-keyring also provides a nice solution for keeping secrets out of git for local development. Requires no central server, only your local key storage (eg: keychain for macOS).
If you ever push anything to a public Github repository it is immediately mirrored by a host of bots. If it was there for any amount of time, it's there. That said, if I'm honest I think almost no one checks the SSH host key. I would bet that for 9 out of 10 engineers / devops / security people, they will ignore the SSH Host Key and might even set StrictHostKeyChecking=no.
I know I know. All you have to do is to just MITM someone's DNS or IP traffic or whatever and it's all over. Well, I will guarantee you that millions of bitcoin are sitting there waiting for you to take it. It's all yours. Go take it. You could be a millionaire tomorrow. And if you do it right, they'll let you keep some of it if you send most of it back.
I did something similar where you could send GitHubers encrypted messages only they could decrypt via their SSH public key that GitHub makes available: https://github.com/rockymadden/github-crypt
reply