In this entry I will document (for myself) how to setup a reasonably secure git credential management for WSL in Windows. I am no Windows fanboy but luckily WSL exists, and we should be careful with our access tokens even in Linux!
Overview
We will store our access tokens in Windows Credentials Manager, make git depend on it and make git in WSL depend on the ‘Windows’ git.
The setup described here is normally automagically handled for Azure Devops and GitHub, but not for internal or self-hosted setups, hence me setting this up.
Git configuration
This depends on how you’ve installed Git in Windows. You need to
locate git-credential-manager.exe and use the path to it in your
Linux git configuration, something like this:
[user]
# CHANGE ME
name = John Doe
email = john.doe@example.com
[credential]
# This path assumes you've installed git to your user profile, change it
# if necessary!
helper = /mnt/c/Users/CHANGEME/AppData/Local/Programs/Git/mingw64/bin/git-credential-manager.exe
Generate personal access token
This all depends on your forge, but you need to generate a PAT (personal access token) which allows you to do what you need.
I use forgejo so I visit git.example.com/user/settings/applications
and issue new token there. YMMV.
Credentials manager configuration
- Start Credentials Manager by running
control keymgr.dll - Switch to “Windows Credentials”
- Press “Add a generic credential”
Use the following parameters for the generic credential:
| Parameter | Value |
|---|---|
| Network address | git:https://git.example.com |
| User name | your-username |
| Password | your-personal-access-token |
Testing
To test this, try to clone a repository in WSL:
git clone https://git.example.com/foo/bar.git
Did it work? Congrats, now you have a decent setup where you don’t have to store secrets in WSL! And once your token expires, you only need to update it in one place.