Where to store my Git personal access token?
Is it necessary to store the personal access token somewhere locally on the machine after generating it in GitHub? If yes, is there any preferred way where it could be stored?
Treat your tokens like passwords and keep them secret. When working with the API, use tokens as environment variables instead of hardcoding them into your programs. See number 8 from the official docs: help.github.com/articles/…
Exactly, I saw that comment when generating the access token, but I was not sure how people keep them safe in practice.
This seems so strange to me. Half the point of passwords is that (ideally) you memorise them and the system hashes them, so therefore they’re never stored anywhere in plain text. Yet GitHub’s personal access token system seems to basically force you to store the token in plain text?
It seems GitHub just disabled password authentication for git push and now enforces using a token instead. So now we have to store the token in plain text or use a credential helper to store it for you. In any case, a person accessing your computer now has write access to your repo. — Back when I could just use a password that I have to enter every time, this particular security risk did not exist. And let’s not forget that someone who knows my password could easily use that to create their own tokens. So in terms of security we don’t gain anything, unless GitHub also decides to enforce 2FA.
16 Answers 16
Half the point of passwords is that (ideally) you memorize them and the system hashes them, so therefore they’re never stored anywhere in plain text.
Yet GitHub’s personal access token system seems to basically force you to store the token in plain text?
First, a PAT (Personal Access Token) is not a simple password, but an equivalent that:
- you can generate multiple time (for instance, one per machine from which you need to access GitHub repository)
- you can revoke at any time (from the GitHub web interface), which makes that PAT obsolete, even if it lingers around on one of those machines.
That differs from your password, which is unique to your account, and cannot be easily changed without having to also modify it everywhere you happen to use it.
Since a PAT can be used in place of a password when performing Git operations over HTTPS with Git on the command line or the API, you can use a git credential helper to cache it securely.
On Windows, for instance, that would use the Windows Credential Manager, through the GCM — Git Credential Manager — for Windows, Mac or Linux:
git config --global credential.helper manager-core # Git 2.39+ git config --global credential.helper manager
(manager-core is being replaced by/renamed as manager for Git 2.39+, Q4 2022)
The first time you are pushing to a repo, a popup will ask for your credentials: username and your PAT.
The next time, it won’t ask, and reuse directly that PAT, which remains stored securely in your Credential Manager.
A similar idea applies for Mac with the OSX keychain, and Linux with the GNOME Keyring (in 2021, it would need a DBus session and libsecret ), but in 2021, GCM-Core covers those use cases.
The idea remains: store the PAT in an encrypted credentials store.
git config --global credential.helper manager-core # Git 2.39+: git config --global credential.helper manager
Before Git 2.39 (Q4 2022), for Linux:
You need for that to install git-credential-manager-core , downloading its latest release, like gcmcore-linux_amd64.2.0.474.41365.deb
sudo dpkg -i git-credential-manager-core configure
Although, with GCM (Git-Credential-Manager-Core) on Linux, as noted by Mekky Mayata in the comments, you need to define a git config —global credential.credentialStore first.
As noted by agent18 in the comments, using git-credential-libsecret after installing libsecret-1-0 and libsecret-1-dev is a good first step.
But, again, that should be now wrapped by credential-manager-core (before Git 2.39).
The GNOME Keyring solution you linked does not work for Ubuntu 20.04, as the libgnome-keyring-dev package is not available in that suite. Is this what you meant by Linux support is not fully implemented yet? What recommended workarounds are there, and where can I check the progress being made?
@Mxt The GCM-Core does support now Linux (github.com/microsoft/Git-Credential-Manager-Core/blob/master/…), do it is now the official workaround.
The last two lines give me the following error after git push : /var/tmp/.net/user/git-credential-manager-core/unqypyc0.awl/git-credential-manager-core get: 1: /var/tmp/.net/user/git-credential-manager-core/unqypyc0.awl/git-credential-manager-core: not found
upon running the above commands on Linux, it worked fine but I got «fatal: No credential backing store has been selected.» solved this by editing the git config file git config -e —global and adding a credentialStore value (plaintext, gpg, secretservice) to it. thanks @VonC
@Mekky_Mayata Good point. I have edited the answer to make that step more visible for Linux, adding the relevant documentation.
In my case, in Ubuntu, the accepted solution didn’t work with a message like
git: ‘credential-manager’ is not a git command
but store instead of manager worked well:
git config --global credential.helper store
Just to add a note to this — after enabling this you will be prompted for your creds on your next commit. After that, they are stored.
I find it really helpful when people provide atleast a link after making a warning about something. Please look here for stellar instructions on how to «store» the PAT securely and work with the git workflow. Just 3 lines of code.
After lots of messing around I ended up using github’s ssh instead of http (docs.github.com/en/authentication/connecting-to-github-with-ssh)
Alternatively, you can create a ~/.netrc file in home directory and save your login credentials to it.
cat ~/.netrc machine github.com login password
Please provide a detailed explanation to your answer, in order for the next user to understand your answer better.
Details of netrc file and its link with inetutils are explained in this link. gnu.org/software/inetutils/manual/html_node/…
@JwalaKumar just create a file in your linux home directory with name .netrc and have the contents as shown in the answer. If you are using windows then please try this stackoverflow.com/questions/6031214/…
Tested on Ubuntu 20.04, almost fresh install, with Git 2.25.1 and unity 7.5.
Authentication basics
Github needs an authentication key (with certain rights tied to said authentication key). A particular auth key has certain rights, (read private repos, read write public repos etc. ) and «acts as a password» coupled with rights which can be revoked whenever the user wants.
Personal Access Token
- We start with making a PAT. I.E., Settings —> Developer Settings—> Persaonl access tokens —> Generate new token —> Note —> set permissions (repo,repo_hook maybe) —> generate token
- git push the repo and type the generated token(very long password) as password when asked.
Storing the password in different ways
-
- Can be done in a file and then using xclip to bring it back to clipboard and paste it everytime (Screw this)
- Cache with the help of git commands git config credential.helper cache . But you still have to somehow clipboard the password after the timelimit.
- Store it permanently in a file with git commands git config credential.helper store (don’t use —global). This is NOT ENCRYPTED. You can open the file and read it. (e.g., If someone gets access to your laptop they can pretty much read the Password using a bootable USB (assuming your whole system is not encrypted)).
- Or go the encryption route as per here. It is not complicated at all. 3 simple steps.
sudo apt-get install libsecret-1-0 libsecret-1-dev sudo make --directory=/usr/share/doc/git/contrib/credential/libsecret git config credential.helper /usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret
This allows to store the password/personal access token in an encrypted format. The git config file can be found in the .git/config file in your loca repo as shown here, if you ever need it.
P.S. There are many places that suggest the use of Gnome-keyring but that is apparently deprecated.
Storing passwords/PATs for more than one account
This becomes tricky and it appears as @VonC suggests that we need a Git-Credential-Manager core (GCM core). This answer is enhanced based on my findings in this answer.
- First install GCM core
- Download latest .deb package
- sudo dpkg -i
- git-credential-manager-core configure
- git config —global credential.credentialStore secretservice as we use libsecret
sudo add-apt-repository ppa:git-core/ppa sudo apt-get update apt list git # shows the latest git currently 2.31 sudo apt-get install git #or sudo apt-get upgrade
git remote set-url origin https://user1@github.com/user1/myRepo1.git git remote set-url origin https://user2@github.com/user1/myRepo1.git ^^^^^
Your ~/.gitconfig file will thus have the following :
[credential] helper = /usr/bin/git-credential-manager-core credentialStore = secretservice [credential "https://dev.azure.com"] useHttpPath = true