A lightweight encrypting git credential helper (for Linux)
Git on linux has basically 3 options to store credentials.
- git-credential-cache: stores credentials in-memory, which means that they are not saved across reboots.
- git-credential-store: stores credentials unencrypted on a filesystem, so anybody with access to the file can read them.
- libsecret based implementations (like this one): These store credentials encrypted, but bring a full secret management solution and require workarounds without a graphical session (see here).
With GitHub's move to personal access tokens, I felt the need for a lightweight encrypting solution. Nicator works like git-credential-store but it encrypts the saved credentials, so it protects against the credentials file getting stolen. It does not do anything about malicious code being executed or its sockets and process memory getting read, especially after unlocking. Most of nicators dependencies are statically linked, so it does not require any uncommon dependencies.
- Add
nicatorsomewhere on your$PATH. - Execute
nicator initto create the credentials file and set an initial password. - Set
nicatoras your git-credential-helper:git config --global credential.helper /path/to/nicator. - Execute
nicator unlockto enable storing and fetching credentials. - Execute
nicator lockto disable storing and fetching credentials.
nicator unlock -t SECONDS allows specifying a timeout after which the credentials become inaccessible.
It defaults to 1 hour. It might be handy to create a shell alias to change it consistently. The -c and -s flags can be used to change the path used for the credentials file and socket file respectively.
These should not leak any data as long these files are only readable and writeable by the the file's owner, which nicator takes care of when creating these.
An existing .git-credentials file can be imported using nicator import.
Unlocking will automatically launch a nicator server/daemon process listening on a unix socket with appropriate permissions (found in /tmp), which keeps the password in-memory.
When queried for data the server will decrypt the credential file ($HOME/.nicator-credentials) or encrypt it with appropriate permissions when storing.
nicator store/get/erase will parse git's input, connect to the daemon and output required information to be consumed by git.
Nicator encrypts credentials using 256-bit AES.
The passphrase is hashed using Argon2id.
To put it bluntly after unlocking nicator is as insecure as git-credential-store.
- You should trust the root user on your system.
- When hibernating your nicator password may be written to the disk if a nicator server is still running
- Malicious code may act like a valid the nicator client and read credentials from the unix socket after the credential store is unlocked