When developing mobile applications, it’s crucial to keep sensitive files like Google-Services.plist and google-services.json secure. These files contain essential information for connecting your app to Firebase services. In this post, we’ll show you how to encrypt these files using GPG (GNU Privacy Guard) and share them securely with your team.

What is GPG and Why is It Important?

GPG, or GNU Privacy Guard, is an open-source encryption and signing tool that provides cryptographic privacy and authentication. Encrypting your Firebase configuration files with GPG ensures that unauthorized individuals cannot access sensitive information in your app’s codebase, especially when using version control systems like Git.

Creating and Registering a GPG Key

Before we start encrypting files, you’ll need to create a GPG key pair (a public and private key) and register it with your computer.

  1. Install GPG if you haven’t already (it is included in the Git Bash installation). You can download it from the official GnuPG website.
  2. Open a terminal and run the following command to generate a GPG key pair:
1
gpg --full-generate-key
  1. Follow the prompts to complete the key generation process. Make sure to remember the passphrase you set for your private key.
  2. List your GPG keys with the following command:
1
gpg --list-secret-keys --keyid-format=long
  1. Note the key ID displayed, as you’ll need it for exporting the key.

Uploading Your Public Key to the Internet

To share your public key with others, you can upload it to a public key server. This allows people to easily find and import your public key to encrypt files for you.

  1. Export your public key to a file using the following command (replace your-email@example.com with your email used when generating the key):
1
gpg --output my-public-key.asc --armor --export your-email@example.com
  1. Visit a public key server, such as keys.openpgp.org or the MIT PGP Public Key Server, and follow their instructions to upload your public key.

Encrypting the Firebase Configuration Files

With your GPG key created, you can now encrypt your Google-Services.plist and google-services.json files:

1
2
gpg --output Google-Services.plist.gpg --encrypt --recipient your-email@example.com --recipient your-team-member@example.com Google-Services.plist
gpg --output google-services.json.gpg --encrypt --recipient your-email@example.com --recipient your-team-member@example.com  google-services.json

Replace your-email@example.com with the email address associated with the public key you created earlier and add the mail addresses of all of your team members that should be able to decrypt the files.

IMPORTANT
Do not forget to add the unencrypted files to your .gitignore.

Decrypting the Files

To decrypt the files, use the following commands:

1
2
gpg --output Google-Services.plist --decrypt Google-Services.plist.gpg
gpg --output google-services.json --decrypt google-services.json.gpg

Other Usages of GPG Keys

GPG keys can also be used for other purposes in the context of programming, such as:

  1. Signing commits and tags in Git: By signing your commits and tags, you can prove that they were created by you and haven’t been tampered with. This adds an extra layer of trust and authenticity to your code.
  2. Securing communication: GPG keys can be used to encrypt and sign emails or other forms of communication between team members, ensuring that sensitive information remains confidential.
  3. Protecting sensitive configuration files: You can use GPG to encrypt sensitive configuration files or API keys before committing them to a repository, preventing unauthorized access.

Conclusion

By encrypting your Google-Services.plist and google-services.json files with GPG and sharing your public key, you can protect your Firebase credentials while allowing multiple authorized recipients to access the files. This ensures the security of your project while facilitating collaboration with your team.