{"id":267,"date":"2020-08-05T12:07:58","date_gmt":"2020-08-05T10:07:58","guid":{"rendered":"https:\/\/www-beta.zero-one.io\/?p=267"},"modified":"2021-01-22T10:55:55","modified_gmt":"2021-01-22T08:55:55","slug":"test-blog-post-2","status":"publish","type":"post","link":"https:\/\/www.zero-one.io\/?p=267","title":{"rendered":"Safely storing passwords and secrets in your git repo"},"content":{"rendered":"\n<p>Managing secrets for a code base is a tricky proposition. For too long, traditional DevOps approaches have seen teams build elaborate out-of-band workflows to manage system secrets, API keys and tokens, and traditional passwords. This tends to be an error-prone and painful process. This is never a good scenario to be faced with when considering options around security.<\/p>\n\n\n\n<p>At the same time, storing these secrets inside your <a href=\"https:\/\/en.wikipedia.org\/wiki\/Distributed_revision_control\">DVCS<\/a> is also a really easy way to get onto the <a href=\"http:\/\/mybroadband.co.za\/\">MyBroadband<\/a> or <a href=\"http:\/\/www.itweb.co.za\">IT Web<\/a> front page with a &#8220;YourCompany: HACKED!&#8221; headline.<\/p>\n\n\n\n<p>As an illustration, a quick <a href=\"https:\/\/github.com\/michenriksen\/gitrob\">GitRob<\/a> spree on your local GitHub organisation can reveal some serious vulnerabilities that are literally just waiting there for someone to exploit. I ran this on an open source project whose name I will not disclose, and got some very interesting results that could lead to a lot of mischief.<\/p>\n\n\n\n<p>Recently, some new software has hit the scene: <a href=\"https:\/\/github.com\/StackExchange\/blackbox\">BlackBox<\/a>, a utility built by the smart people at <a href=\"http:\/\/stackexchange.com\/\">StackExchange<\/a>. Blackbox is a suite of scripts that aims to marry the ever-warring security and convenience into something that should satisfy both the development and security teams.<\/p>\n\n\n\n<p>Blackbox uses <a href=\"https:\/\/www.gnupg.org\/\">GPG<\/a> to encrypt files before they&#8217;re sent to your DVCS (assuming GitHub for the remainder of this article), and decrypts them when needed, either by you, your team, or an automated system. Blackbox is so promising, that in fact <a href=\"https:\/\/www.zero-one.io\/blog\/2015\/04\/14\/safely-storing-passwords-and-secrets-in-your-git-repo\/www.thoughtworks.com\/\">ThoughtWorks<\/a> have identified it on their <a href=\"http:\/\/www.thoughtworks.com\/radar\/tools\/blackbox\">tools to assess for the January 2015 Tech Radar<\/a><\/p>\n\n\n\n<p>There really is a lot to cover in terms of workflow, but for today we&#8217;ll keep it simple, and walk through the most typical steps of starting a blackboxed project, adding files, editing files, and adding collaborators.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Dependencies<\/h3>\n\n\n\n<p>The following instructions assume some basic groundwork has been laid down.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>You are working on a project hosted on GitHub or similar online source code management tool.<\/li><li>You and your whole team have access to this project<\/li><li>As all examples are run from the shell, you are comfortable running shell commands<ul><li>If you&#8217;re copying and pasting the commands below from ZSH instead of BASH, please run this command first <code>setopt interactivecomments<\/code><\/li><\/ul><\/li><li>You have blackbox installed as per <a href=\"https:\/\/github.com\/StackExchange\/blackbox#installation-instructions\">one of these installation methods<\/a>.<\/li><li>You have GPG installed<\/li><li>You have GPG keys on your machine (Zero One uses, and loves <a href=\"https:\/\/keybase.io\">Keybase.io<\/a>)<ul><li>Use Keybase and install your keys via <code>keybase login<\/code>, or<\/li><li>Simply generate your own keys via the GPG command line. <a href=\"http:\/\/moser-isi.ethz.ch\/gpg.html#tocreateanewkeypair\">You can use this tutorial to get started<\/a><\/li><\/ul><\/li><\/ul>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Prep your project for Blackbox<\/h3>\n\n\n\n<p>Start up your gpg-agent so your passphrased keys are stored in memory:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ eval $(gpg-agent --daemon)<\/code><\/pre>\n\n\n\n<p>Let Blackbox initialize some housekeeping files:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ blackbox_initialize<\/code><\/pre>\n\n\n\n<p>The next command is provided by blackbox, just copy and paste your version:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ git commit -m'INITIALIZE BLACKBOX' keyrings .gitignore<\/code><\/pre>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Now add yourself as an admin<\/h3>\n\n\n\n<p>Blackbox requires admins to be managed via a simple text list file, and a keyring of GPG keys. The keyring is used so that all admins can have their own keys, and still decrypt files. As we&#8217;ve said earlier, we&#8217;re fans of <a href=\"http:\/\/keybase.io\/\">Keybase, a crypto service that helps manage GPG transmissions<\/a>. I&#8217;ll be encrypting files using my Keybase ID.<\/p>\n\n\n\n<p>To see a list of GPG keys on your machine, and to get the UID you need to provide blackbox with, run:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ gpg --list-keys<\/code><\/pre>\n\n\n\n<p>Choose your key, and give the UID to blackbox:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ blackbox_addadmin keybase.io\/gee_forr<\/code><\/pre>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Time to get some files blackboxed<\/h3>\n\n\n\n<p>Let&#8217;s get Blackbox to manage a couple of secretive files for us. To do this, we register a new file with a simple command. In this demo, I&#8217;ll be encrypting a Rails app&#8217;s <code>secrets.yml<\/code> and <code>database.yml<\/code> files. You can add as many, or as few files as you wish. Really paranoid people might want to consider even blackboxing the <code>db\/schema.rb<\/code> file.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ blackbox_register_new_file config\/secrets.yml\n$ blackbox_register_new_file config\/database.yml\n$ blackbox_register_new_file db\/schema.rb<\/code><\/pre>\n\n\n\n<p>Blackbox does a couple of clever things here. Firstly, it adds the GPG version of the file to the git repo, and secondly, it adds the unencrypted file&#8217;s name to the repo&#8217;s <code>.gitignore<\/code> file so that you won&#8217;t accidentally add the decrypted file back into source control.<\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">What about editing blackboxed files?<\/h3>\n\n\n\n<p>To edit a file, you have a number of options. You can decrypt, then edit, then encrypt, or you can do that all in one command.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ blackbox_edit config\/secrets.yml.gpg<\/code><\/pre>\n\n\n\n<p>This will prompt for your passphrase, decrypt the file, and open up <code>$EDITOR<\/code>. Writing and quitting the editing session will re-encrypt the file.<\/p>\n\n\n\n<p>Whilst you&#8217;re editing secrets.yml, why not remove the production reference to an env var, and put the secret key right in there? Don&#8217;t forget to keep on committing changes as you go along.<\/p>\n\n\n\n<p>If you want to have a file decrypted so that you can run a development environment, just run <code>blackbox_edit_start<\/code> on the file name. This will decrypt it and do nothing else. Running <code>blackbox_edit_end<\/code> on the file name will re-encrypt.<\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">I work on a team, how do I get other devs access to these files?<\/h3>\n\n\n\n<p>This is a slightly finicky process. It involves all the prerequisites outlined above, and then implements a &#8220;vouchsafe&#8221; process to allow new people onto the project. Here&#8217;s another reason we love Keybase. Keybase provides a way for someone to verify another person using their social media logins. If you know someone&#8217;s Twitter or GitHub handles, you can find their Keybase fingerprint from there, and rest assured that the person you are &#8220;indoctrinating&#8221; (Blackbox&#8217;s term, not ours) is who they claim to be.<\/p>\n\n\n\n<p>On your new colleagues machine, the following commands are run from within the project&#8217;s repo:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ blackbox_addadmin keybase.io\/ridhwana<\/code><\/pre>\n\n\n\n<p>Here, Ridhwana adds her Keybase UID. This outputs a git command suggestion for committing the files.<\/p>\n\n\n\n<p>Push the application for the new admin back to the central git repo:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ git push<\/code><\/pre>\n\n\n\n<p>Once the application for admin rights is back on a central git repo, a current admin can continue the indoctrination process on their machine.<\/p>\n\n\n\n<p>Fetch the latest code with the new proposed admin:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ git pull<\/code><\/pre>\n\n\n\n<p>Add the new public keyring to GPG<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ gpg --import keyrings\/live\/pubring.gpg<\/code><\/pre>\n\n\n\n<p>Now decrypt and re-encrypt all the files using the new keyring:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ blackbox_update_all_files\n<\/code><\/pre>\n\n\n\n<p>And finally push all these changes back to your central git repo<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ git commit -a\n$ git push<\/code><\/pre>\n\n\n\n<p>From this point on, both admins should be able to work with these files securely.<\/p>\n\n\n\n<div style=\"height:60px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Other points to consider<\/h2>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">What happens when someone leaves the team?<\/h3>\n\n\n\n<p>Standard practice in these cases, with or without a tool like Blackbox, should be to regenerate any keys or tokens, and change any passwords. Once that&#8217;s done, running the <code>blackbox_removeadmin<\/code> command will help to remove their key from the keyring, and re-encrypt all files.<\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">What about automated systems that need to access these files?<\/h3>\n\n\n\n<p>Your CI server, or orchestration servers can have a GPG key without a passphrase added. This is done by creating a sub-key from another key. These servers should be locked down extremely tight. If someone breaks into a server like this, you&#8217;ve already lost, and fretting over a machine-use-only key will be the least of your worries.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Managing secrets for a code base is a tricky proposition. For too long, traditional DevOps approaches have seen teams build elaborate out-of-band workflows to manage system secrets, API keys and tokens, and traditional passwords. This tends to be an error-prone and painful process. This is never a good scenario to be faced with when considering [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":673,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-267","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorised"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Safely storing passwords and secrets in your git repo - Zero One<\/title>\n<meta name=\"robots\" content=\"noindex, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Safely storing passwords and secrets in your git repo - Zero One\" \/>\n<meta property=\"og:description\" content=\"Managing secrets for a code base is a tricky proposition. For too long, traditional DevOps approaches have seen teams build elaborate out-of-band workflows to manage system secrets, API keys and tokens, and traditional passwords. This tends to be an error-prone and painful process. This is never a good scenario to be faced with when considering [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.zero-one.io\/?p=267\" \/>\n<meta property=\"og:site_name\" content=\"Zero One\" \/>\n<meta property=\"article:published_time\" content=\"2020-08-05T10:07:58+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-01-22T08:55:55+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.zero-one.io\/wp-content\/uploads\/2020\/08\/blog-image-2.png\" \/>\n\t<meta property=\"og:image:width\" content=\"932\" \/>\n\t<meta property=\"og:image:height\" content=\"573\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Annette Schuman\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Annette Schuman\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.zero-one.io\\\/?p=267#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.zero-one.io\\\/?p=267\"},\"author\":{\"name\":\"Annette Schuman\",\"@id\":\"https:\\\/\\\/www.zero-one.io\\\/#\\\/schema\\\/person\\\/6eb7b0e5d744fecd1e83efeb2c7c8d44\"},\"headline\":\"Safely storing passwords and secrets in your git repo\",\"datePublished\":\"2020-08-05T10:07:58+00:00\",\"dateModified\":\"2021-01-22T08:55:55+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.zero-one.io\\\/?p=267\"},\"wordCount\":1140,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/www.zero-one.io\\\/?p=267#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.zero-one.io\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/blog-image-2.png\",\"inLanguage\":\"en-ZA\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.zero-one.io\\\/?p=267#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.zero-one.io\\\/?p=267\",\"url\":\"https:\\\/\\\/www.zero-one.io\\\/?p=267\",\"name\":\"Safely storing passwords and secrets in your git repo - Zero One\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.zero-one.io\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.zero-one.io\\\/?p=267#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.zero-one.io\\\/?p=267#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.zero-one.io\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/blog-image-2.png\",\"datePublished\":\"2020-08-05T10:07:58+00:00\",\"dateModified\":\"2021-01-22T08:55:55+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.zero-one.io\\\/#\\\/schema\\\/person\\\/6eb7b0e5d744fecd1e83efeb2c7c8d44\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.zero-one.io\\\/?p=267#breadcrumb\"},\"inLanguage\":\"en-ZA\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.zero-one.io\\\/?p=267\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-ZA\",\"@id\":\"https:\\\/\\\/www.zero-one.io\\\/?p=267#primaryimage\",\"url\":\"https:\\\/\\\/www.zero-one.io\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/blog-image-2.png\",\"contentUrl\":\"https:\\\/\\\/www.zero-one.io\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/blog-image-2.png\",\"width\":932,\"height\":573},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.zero-one.io\\\/?p=267#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.zero-one.io\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Safely storing passwords and secrets in your git repo\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.zero-one.io\\\/#website\",\"url\":\"https:\\\/\\\/www.zero-one.io\\\/\",\"name\":\"Zero One\",\"description\":\"Bespoke Software Development\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.zero-one.io\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-ZA\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.zero-one.io\\\/#\\\/schema\\\/person\\\/6eb7b0e5d744fecd1e83efeb2c7c8d44\",\"name\":\"Annette Schuman\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-ZA\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7782258f0f03295dc73c153525ddd74b1b67b73659bc9037f6ee78967a65e86a?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7782258f0f03295dc73c153525ddd74b1b67b73659bc9037f6ee78967a65e86a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7782258f0f03295dc73c153525ddd74b1b67b73659bc9037f6ee78967a65e86a?s=96&d=mm&r=g\",\"caption\":\"Annette Schuman\"},\"sameAs\":[\"http:\\\/\\\/www.pepperplane.com\"],\"url\":\"https:\\\/\\\/www.zero-one.io\\\/?author=2\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Safely storing passwords and secrets in your git repo - Zero One","robots":{"index":"noindex","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Safely storing passwords and secrets in your git repo - Zero One","og_description":"Managing secrets for a code base is a tricky proposition. For too long, traditional DevOps approaches have seen teams build elaborate out-of-band workflows to manage system secrets, API keys and tokens, and traditional passwords. This tends to be an error-prone and painful process. This is never a good scenario to be faced with when considering [&hellip;]","og_url":"https:\/\/www.zero-one.io\/?p=267","og_site_name":"Zero One","article_published_time":"2020-08-05T10:07:58+00:00","article_modified_time":"2021-01-22T08:55:55+00:00","og_image":[{"width":932,"height":573,"url":"https:\/\/www.zero-one.io\/wp-content\/uploads\/2020\/08\/blog-image-2.png","type":"image\/png"}],"author":"Annette Schuman","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Annette Schuman","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.zero-one.io\/?p=267#article","isPartOf":{"@id":"https:\/\/www.zero-one.io\/?p=267"},"author":{"name":"Annette Schuman","@id":"https:\/\/www.zero-one.io\/#\/schema\/person\/6eb7b0e5d744fecd1e83efeb2c7c8d44"},"headline":"Safely storing passwords and secrets in your git repo","datePublished":"2020-08-05T10:07:58+00:00","dateModified":"2021-01-22T08:55:55+00:00","mainEntityOfPage":{"@id":"https:\/\/www.zero-one.io\/?p=267"},"wordCount":1140,"commentCount":0,"image":{"@id":"https:\/\/www.zero-one.io\/?p=267#primaryimage"},"thumbnailUrl":"https:\/\/www.zero-one.io\/wp-content\/uploads\/2020\/08\/blog-image-2.png","inLanguage":"en-ZA","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.zero-one.io\/?p=267#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.zero-one.io\/?p=267","url":"https:\/\/www.zero-one.io\/?p=267","name":"Safely storing passwords and secrets in your git repo - Zero One","isPartOf":{"@id":"https:\/\/www.zero-one.io\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.zero-one.io\/?p=267#primaryimage"},"image":{"@id":"https:\/\/www.zero-one.io\/?p=267#primaryimage"},"thumbnailUrl":"https:\/\/www.zero-one.io\/wp-content\/uploads\/2020\/08\/blog-image-2.png","datePublished":"2020-08-05T10:07:58+00:00","dateModified":"2021-01-22T08:55:55+00:00","author":{"@id":"https:\/\/www.zero-one.io\/#\/schema\/person\/6eb7b0e5d744fecd1e83efeb2c7c8d44"},"breadcrumb":{"@id":"https:\/\/www.zero-one.io\/?p=267#breadcrumb"},"inLanguage":"en-ZA","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.zero-one.io\/?p=267"]}]},{"@type":"ImageObject","inLanguage":"en-ZA","@id":"https:\/\/www.zero-one.io\/?p=267#primaryimage","url":"https:\/\/www.zero-one.io\/wp-content\/uploads\/2020\/08\/blog-image-2.png","contentUrl":"https:\/\/www.zero-one.io\/wp-content\/uploads\/2020\/08\/blog-image-2.png","width":932,"height":573},{"@type":"BreadcrumbList","@id":"https:\/\/www.zero-one.io\/?p=267#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.zero-one.io\/"},{"@type":"ListItem","position":2,"name":"Safely storing passwords and secrets in your git repo"}]},{"@type":"WebSite","@id":"https:\/\/www.zero-one.io\/#website","url":"https:\/\/www.zero-one.io\/","name":"Zero One","description":"Bespoke Software Development","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.zero-one.io\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-ZA"},{"@type":"Person","@id":"https:\/\/www.zero-one.io\/#\/schema\/person\/6eb7b0e5d744fecd1e83efeb2c7c8d44","name":"Annette Schuman","image":{"@type":"ImageObject","inLanguage":"en-ZA","@id":"https:\/\/secure.gravatar.com\/avatar\/7782258f0f03295dc73c153525ddd74b1b67b73659bc9037f6ee78967a65e86a?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/7782258f0f03295dc73c153525ddd74b1b67b73659bc9037f6ee78967a65e86a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7782258f0f03295dc73c153525ddd74b1b67b73659bc9037f6ee78967a65e86a?s=96&d=mm&r=g","caption":"Annette Schuman"},"sameAs":["http:\/\/www.pepperplane.com"],"url":"https:\/\/www.zero-one.io\/?author=2"}]}},"_links":{"self":[{"href":"https:\/\/www.zero-one.io\/index.php?rest_route=\/wp\/v2\/posts\/267","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.zero-one.io\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.zero-one.io\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.zero-one.io\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.zero-one.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=267"}],"version-history":[{"count":3,"href":"https:\/\/www.zero-one.io\/index.php?rest_route=\/wp\/v2\/posts\/267\/revisions"}],"predecessor-version":[{"id":674,"href":"https:\/\/www.zero-one.io\/index.php?rest_route=\/wp\/v2\/posts\/267\/revisions\/674"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.zero-one.io\/index.php?rest_route=\/wp\/v2\/media\/673"}],"wp:attachment":[{"href":"https:\/\/www.zero-one.io\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=267"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.zero-one.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=267"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.zero-one.io\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}