Git ‘store’ credential helper with encrypted partition

Tonight I was setting up git on a new linux box so that it can access GitHub. I enabled two-factor authentication on my GitHub account almost a year ago; some great instructions for doing this are available here. I had been using “credential.helper cache’ for storing my credentials on linux machines, but this is a temporary store that by default caches your credentials for 15 minutes. I could increase that default, but it’s still going to be temporary. On my MacBook, I use the OSX Keychain to store these credentials permanently, which has unfortunately made me lazy. I wanted a way to store these credentials safely on my linux box so that I didn’t have to type them in repeatedly.

This led me to the git-credential-store helper. This stores credentials on disk, however they are not encrypted. So I began looking for an alternative. I wondered if I could use the gnome keyring with git. A search turned up that this might be possible but it wouldn’t be easy. Then it occurred to me that I have an encrypted partition on this machine utilizing dm-crypt plus LUKS and mounted under my home directory. If the git-credential-store helper stored credentials in this encrypted partition, that would provide some protection. There are still vulnerabilities, but I carried on.

Beware: I am NOT a security professional so what I am doing here might be horrible advice. It is quite possible that I have no idea what I am doing.

The git-credential-store helper has a “–file=” option that can be used to specify the file where credentials are stored. I set this to a file in my encrypted partition. By default this is “~/.git-credentials” so I used that same file name and replaced the “~” with an encrypted directory path (in the example here that is “/home/myname/encrypted/”). Let’s say that git is configured with the commands below.

$ git config --global user.name "MyName"
$ git config --global user.email "me@somewhere"
$ git config --global credential.helper 'store --file=/home/myname/encrypted/.git-credentials'

As a result, the “~/.gitconfig” file should look something like the below snippet.

[user]
	name = MyName
	email = me@somewhere
[credential]
	helper = store --file=/home/myname/encrypted/.git-credentials

If the “/home/myname/encrypted/.git-credentials” file doesn’t exist, it will be created the next time that git requests credentials (when using two-factor authentication then remember that the Personal Access Token is used for the password and not the regular GitHub password). After that, credentials should not have to be entered again (of course, this assumes that the encrypted partition is available and at the same mount point).

About Noel McKinney

Noel McKinney is the administrator of noelmckinney.com
This entry was posted in General Technology and tagged . Bookmark the permalink.