Cleaning Secrets from a Repo
Cleaning Secrets from a Repo
If you’re like me, you messed up and now you have to quickly fix things. Slow down, and carefully follow these steps — the order & detail is important. I promise you we’ll get through this together.
FIRST: Revoke the secrets from whatever assets or platform they provide access to, eg:
Assume that the keys have already fallen in to the hands of bad actors, and immediately change the locks so that the keys are no use.
Cleaning House
HAVE YOU REALLY REVOKED ALL THE KEYS?
You may still want to clean up the repo where the keys were exposed to remove traces of the keys — even tho’ you have now rendered them useless.
Maybe because:
- Other authors in the repo might find the keys and
- …mistakenly issue & expose new ones
- To protect the guilty — cover your tracks — as an act of contrition
Note that cleaning house like this will not remove the keys from any fork or offline copy someone may (read as “already has”) taken of the repo. That’s why you have to revoke the secrets first.
