git credential-store

🎯 What & why

git credential-store saves credentials in plaintext on disk. It just works, everywhere, and exposes your tokens to anyone who reads the file.

🧠 Mental model

A flat file of https://user:token@host URLs. No encryption. No expiry. If the threat model includes 'someone reads my home directory', this helper is wrong.

🛠️ Synopsis

git config --global credential.helper store
git config --global credential.helper 'store --file=~/.git-creds-work'

# File format (one line each):
# https://alice:ghp_xxx@github.com
# https://bob:token@gitlab.example.com

🎚️ Switches & options

📦 Subcommands

git credential-store store < cred.txt

git credential-store get < desc.txt

git credential-store erase < desc.txt

💡 Use cases

• Headless servers where no keychain exists and cache won't survive long-running jobs.
• Containers and CI where the filesystem is ephemeral anyway.
• Quick scripts where security is bounded by the host's own access controls.
• Splitting work and personal creds via separate --file paths and per-host helpers.

🧪 Examples

git config --global credential.helper store

git -C ~/work config credential.helper 'store --file=~/.git-creds-work'

cat ~/.git-credentials

rm ~/.git-credentials

🎓 Recommendations

• Don't use this on a personal laptop — pick osxkeychain, wincred, manager, or libsecret.
• If you must use it, scope per-host with credential.<url>.helper and a dedicated file.
• Rotate tokens on a schedule; the file never expires anything.

🪤 Common pitfalls

• Backups, sync tools, and find will happily slurp ~/.git-credentials — the secret leaks with your home dir.
• Mode 600 protects against other local users, not against malware running as you.
• Editing the file by hand is fine, but the format is strict — one URL per line, no comments.

🔗 Related modules

• git credential
• git credential-cache
• git config

📝 Quiz

Hit each option, then Check answers. Score is recorded; Next is always open.