Git can unintentionally store sensitive data like passwords or keys in its commit history. While commands like filter-branch can remove sensitive data from the local history, it may still be retrievable from remote repositories unless the history is rewritten there as well. The safest approach is to change all credentials and remove the local git repository entirely.

1. Git hardly
forgets
Ombu Labs, January 2016

2. The Problem
$ echo "secret data" > id_rsa
$ git add id_rsa
$ git commit -m "bad commit"

3. $ git rm id_rsa
$ git show d6ec68d
d6ec68d - bad commit
diff --git a/id_rsa b/id_rsa
secret data
The Data remains

4. $ git filter-branch --tree-filter 'rm -f id_rsa' HEAD
Rewrite f5741346a28c65097b2a4e1ac9d9f31ca99ce43e (4/4)
Ref 'refs/heads/master' was rewritten
$ git log
0849436 - (HEAD -> master) remove id_rsa file
1ec887c - another file
7108ca8 - bad commit
474db38 - initial commit
$ git show 7108ca8
7108ca8 - bad commit
Rewrite the history

5. $ git show d6ec68d
d6ec68d - bad commit
secret data
Rewrite the history
Seems that the history still exists …

6. $ git push
$ git clone git@github.com:git-demo.git
$ git show d6ec68d
fatal: ambiguous argument 'd6ec68d': unknown revision or path no
Local vs Remote

7. $ git filter-branch --tree-filter 'git ls-files -z
"*.rb" | xargs -0 perl -p -i -e "s#(12345)#REMOVED#g"'
-- --allRewrite
051fdf0ac67128a918dd703e26df5737cf6f39da (8/8)
...
Ref 'refs/remotes/origin/awesome-feature' was rewritten
Ref 'refs/remotes/origin/master' was rewritten
$ git gc --aggressive —prune
$ git push -f
Filter Passwords

8. $ git log
bba8283 - replace api key with env var
7152c92 - add api key to demo.rb
$ git show 7152c92
7152c92 - add api key to demo.rb
+API_KEY=REMOVED
The Result

9. Safest Solution
• change all current Keys & Passwords
• rm -rf .git/

10. Thank you!

11. Questions?