git-crypt cheatsheet

We can safely include sensitive files under version control by using git-crypt to transparently encrypt/decrypt specific files using either public/private keys registered with gpg or a symmetric key.

git-crypt has a great project page that explains the commands in some more detail. This is my quick cheatsheet for the symmetric key usage, which is handy for CI/CD environments.

Flow

1. Prepare the repo

From the root of an existing git repository:

cd repo
git-crypt init

Specify files to encrypt/decrypt in the .gitattributes file:

secretdir/** filter=git-crypt diff=git-crypt

Export the symmetric key for this repo (no password, not on GPG keychain) and base64 encode it for ease of transport:

git-crypt export-key ~/git-crypt.key
base64 --input ~/git-crypt.key --output ~/git-crypt.asc

2. Use the repo

Manage sensitive unencrypted files in the repo, safe in the knowledge that git-crypt will be transparently encrypting them into the git data store.

echo "some secret" > secretdir/secret1.txt
git add secretdir/secret1.txt
git commit -m "Add a secret"

3. Decrypt the cloned repo

After cloning the repo elsewhere, the secrets will be encrypted:

git clone repo
cd repo
cat secretdir/secret1.txt # <-- still encrypted

Make the symmetric key available then decode it back from base64 and use it to decrypt the repository:

base64 --decode --input ~/git-crypt.asc --output ~/git-crypt.key
git-crypt unlock ~/git-crypt.key
cat secretdir/secret1.txt # <-- now unencrypted
Published on: 02 Jul 2019