Remove Passwords From Git History

Every once in a while you’ll check in a key or password into a git repository by mistake. Not to worry, there’s a great utility that can erase the values from history for you. You can delete the file or update the text from the current HEAD but the value still exists in your branch history so you need to go further to remove the value.

Luckily there’s the BFG Repo-Cleaner utility tool that goes through your git history and updates all references of the private value and replaces it with **Removed**.

Here’s how to use the BFG Repo-Cleaner to remove passwords from your git history. The BFG Repo-Cleaner is a Java file that can be saved to your local machine and run against your cloned git repo.

  1. Start by downloading the BFG Repo-Cleaner .jar file to your local machine. I saved mine to a folder called bfg on my D: drive – D:\code\bfg.
  2. Create a passwords.txt file that lists the passwords/keys you want to remove from your git repository and save to the same folder as the BFG Cleaner. The passwords.txt file is just a list of different passwords/keys that you want to remove from the repository.
  3. Clone your repository using the –mirror flag and make a full backup of the repo just in case something breaks.
    $ git clone --mirror
  4. Open command prompt and run the following command
    $ java -jar d:\code\bfg\bfg-1.13.0.jar --replace-text d:\code\bfg\passwords.txt d:\code\delete-passwords.git
  5. Move into the cloned git folder and run the following command
    $ cd delete-passwords.git
    $ git reflog expire --expire=now --all && git gc --prune=now --aggressive
  6. And finally push your changes back to the remote repository
    $ git push

That’s it. If you go into your repository now you will see that all references to your values from the passwords.txt file will now be replaced with **Removed**. This is just the tip of the utilities ability, there are more examples and other documentation on at the BFG Repo-Cleaner project Github page.