git-crypt cheatsheet
We can safely include sensitive files under version control by using git-crypt
to transparently encrypt/decrypt specific files using either public/private keys registered with gpg
or a symmetric key.
git-crypt
has a great project page that explains the commands in some more detail. This is my quick cheatsheet for the symmetric key usage, which is handy for CI/CD environments.
Flow
1. Prepare the repo
From the root of an existing git repository:
cd repo
git-crypt init
Specify files to encrypt/decrypt in the .gitattributes
file:
secretdir/** filter=git-crypt diff=git-crypt
Export the symmetric key for this repo (no password, not on GPG keychain) and base64 encode it for ease of transport:
git-crypt export-key ~/git-crypt.key
base64 --input ~/git-crypt.key --output ~/git-crypt.asc
2. Use the repo
Manage sensitive unencrypted files in the repo, safe in the knowledge that git-crypt
will be transparently encrypting them into the git
data store.
echo "some secret" > secretdir/secret1.txt
git add secretdir/secret1.txt
git commit -m "Add a secret"
3. Decrypt the cloned repo
After cloning the repo elsewhere, the secrets will be encrypted:
git clone repo
cd repo
cat secretdir/secret1.txt # <-- still encrypted
Make the symmetric key available then decode it back from base64 and use it to decrypt the repository:
base64 --decode --input ~/git-crypt.asc --output ~/git-crypt.key
git-crypt unlock ~/git-crypt.key
cat secretdir/secret1.txt # <-- now unencrypted