Security

Git Credential Helper Setup

Configure Git credential helpers to avoid typing usernames and passwords repeatedly while keeping credentials secure.

Who This Is For
  • Developers who need to configure Git security and authentication
Prerequisites
  • Basic SSH concepts
  • Command-line experience
Common Risks
  • Poor key management leading to security leaks
  • Not understanding signing policy causing verification failures

Overview

Typing usernames and passwords for every Git operation is tedious. Credential helpers cache or store credentials securely and provide them automatically.

Common Credential Helpers

HelperStorageBest For
cacheIn-memory (configurable TTL)Short-lived, secure
osxkeychainmacOS KeychainmacOS users
manager-coreWindows Credential ManagerWindows users
libsecretLinux Secret ServiceLinux desktop users
storePlaintext disk file⚠️ Not recommended

Configuration

macOS: osxkeychain

# Usually pre-installed with Git on macOS
git config --global credential.helper osxkeychain

# Verify
git config --global --get credential.helper
# Output: osxkeychain

The first operation will prompt for Keychain access — approve it and you won't be asked again.

Memory Cache

# Default 15-minute cache
git config --global credential.helper cache

# Custom timeout (seconds)
git config --global credential.helper "cache --timeout=3600"
# Cache for 1 hour

Best for short sessions — cache clears on reboot.

Linux: libsecret

# Install libsecret
sudo apt-get install libsecret-1-0 libsecret-1-dev
sudo make --directory=/usr/share/doc/git/contrib/credential/libsecret

# Configure
git config --global credential.helper /usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret

Per-Host Configuration

Use different helpers for different Git hosts:

# Global: osxkeychain
git config --global credential.helper osxkeychain

# Per-host: cache for GitLab
git config --global credential.https://gitlab.com.helper cache

Credential Context

Git matches credential contexts by URL. Common config:

# ~/.gitconfig
[credential]
  helper = osxkeychain

[credential "https://github.com"]
  username = your-github-username

[credential "https://gitlab.com"]
  username = your-gitlab-username

Security Recommendations

  1. Avoid store helper: Stores credentials in plaintext — anyone with disk access can read them
  2. HTTPS vs SSH: SSH keys are usually better for long-term use than HTTPS credentials
  3. Regular cleanup: Periodically review stored credentials and remove unused ones
  4. Environment isolation: Use different credential configs for work vs personal repos

Troubleshooting

Helper Not Working

# Debug: see which helper Git is trying to use
GIT_TRACE=1 git fetch

# Force a specific helper
git -c credential.helper=osxkeychain fetch

Clearing Cached Credentials

# Clear all credential cache
git credential-cache exit

# Or manually delete Keychain entries (macOS)
open /Applications/Utilities/Keychain\ Access.app

Continue Learning

  1. security/ssh-key-management — SSH key management
  2. security/signing-advanced — Advanced commit signing
  3. security/gpg-signing — GPG signing basics

Related Reads

CommandsExtended
SSH Key Management & Git Authentication
CommandsRecommended
Advanced Commit Signing
CommandsExtended
git-config Tutorial

Previous / Next

PreviousGPG Signing & Git Commit VerificationCommandsNextAdvanced Commit SigningCommands