README.md
1# Expo Secrets
2
3This directory contains keys and other data that is for only the Expo team. Expo's software works without these secrets, which are used to configure the official Expo client and connect to services that Expo uses.
4
5---
6
7## Expo team instructions
8
9### Security
10
11This directory contains only secrets that cannot cause significant damage or create significant work for us if they are exposed. It also contains data that isn't actually secret, such as client API keys, but that belong only in the official releases of Expo software and we want to prevent from accidentally being included in developers' own builds.
12
13In the interest of defense in depth, we mitigate the consequences of these secrets being exposed. **Do not add especially sensitive or hard-to-revoke secret credentials, such as an Android keystore, to this repository or CI, even if they are encrypted.**
14
15We also require full-disk encryption (FileVault 2) to decrypt the secrets.
16
17### Unlocking the secrets
18
19The secrets are encrypted using [`git-crypt`](https://github.com/AGWA/git-crypt). Run `unlock` in this repo to decrypt the secrets. If you do not have a decryption key, `unlock` will print instructions for you. You also must have full-disk encryption (FileVault 2) enabled to decrypt the secrets.
20
21The secrets will remain decrypted on your local computer but will automatically be encrypted when you push your changes to GitHub.
22
23### Locking the secrets
24
25You can encrypt the secrets again by running `lock`. You should rarely need to lock the secrets, but if you encounter issues with `git-crypt` it may be useful. Locking the secrets does not protect them unless you securely delete the key and your ability to acquire another copy of the key, however.
26