I’ve gotten into the habit of adding
.gitignore and putting secret keys and other stuff in there. Basically I don’t think keys should ever be on GitHub, even if the repo is private (in case of hackers—you never know).
So the question is, when working on a team, how do you securely share and manage
I bookmarked git-crypt
But not used it yet.
What we do is set settings.json to be ignored in .gitignore and then have a settings.example.json or settings.default.json with an example of all the keys developers will need or default keys that we don’t care about (if possible).
Actually sharing the keys once we on board a new dev is something we usually do through Dropbox.
We have a list of keys spelled out in our README with empty values, so users know what keys to expect.
Then we share keys on Slack with new developers. They give us the “OK” that they’ve copied it to their local environment files. We then delete the message on Slack.