Where to store the personal access token from GitHub?
Half the point of passwords is that (ideally) you memorize them and the system hashes them, so therefore they're never stored anywhere in plain text.
Yet GitHub's personal access token system seems to basically force you to store the token in plain text?
First, a PAT (Personal Access Token) is not a simple password, but an equivalent that:
- you can generate multiple time (for instance, one per machine from which you need to access GitHub repository)
- you can revoke at any time (from the GitHub web interface), which makes that PAT obsolete, even if it lingers around on one of those machines.
That differs from your password, which is unique to your account, and cannot be easily changed without having to also modify it everywhere you happen to use it.
Since a PAT can be used in place of a password when performing Git operations over HTTPS with Git on the command line or the API, you can use a git credential helper to cache it securely.
On Windows, for instance, that would use the Windows Credential Manager, through the GCM -- Git Credential Manager -- for Windows:
git config --global credential.helper manager
The first time you are pushing to a repo, a popup will ask for your credentials: username and your PAT.
The next time, it won't ask, and reuse directly that PAT, which remains stored securely in your Credential Manager.
A similar idea applies for Mac with the OSX keychain, and Linux with the GNOME Keyring.
The idea remains: store the PAT in an encrypted credentials store.
The more modern soution (Q4 2020) is microsoft Git-Credential-Manager-Core
git config --global credential.helper manager-core
You need for that to install git-credential-manager-core
, downloading gcmcore-linux_amd64.2.0.252.766.deb
sudo dpkg -i <path-to-package>
git-credential-manager-core configure
Linux support is not fully implemented yet, but it will be soon.
In my case, in Ubuntu, the accepted solution didn't work with a message like
git: 'credential-manager' is not a git command
but store
instead of manager
worked well:
git config --global credential.helper store
I like to keep them encrypted within the repository and load them using .envrc
(https://direnv.net/)
For doing this I use ssh-vault to encrypt the data using my ssh keys that GitHub already is exposing, for example:
echo MY_TOKEN="secret" | ssh-vault -u <github-user> create > my-encypted-vars.ssh
Then the content of .envrc
looks something like this:
echo "Enter ssh key password"
context=$(ssh-vault view $HOME/projects/my-encrypted.ssh | tail -n +2)
export ${context}
This will decrypt the data in my-encrypted-vars.ssh
file and set MY_TOKEN
into my environment variables every time I cd
into the project dir.
By doing this tokens/variables are stored "safely" and always ready to use as environment variables