Using git-crypt to encrypt sensitive data in your git repository

This is another note of the kind: “I don’t want to google for it next time I need it in few years”

Sometimes we need to store sensitive data in our git repository and it definitely should not be stored in plaintext. This is where git-crypt becomes very usefull. It allows to encrypt plaintext with the help of gpg keys. The enabledment is pretty simple.

GPG part

First make sure that you have gpg installed of the latest version:

gpg --version

Create a new key:

gpg --full-generate-key

Options to be defined:

  1. RSA and RSA
  2. 4096 bit
  3. defined whatever expiry you want. Normal practice is 1 year.

GIT repository part

List keys:

gpg -k

Inside your git repository run the following:

git-crypt init
git-crypt add-gpg-user USER_ID

Specify files to encrypt by creating a .gitattributes file:

secret.txt filter=git-crypt diff=git-crypt
*.key filter=git-crypt diff=git-crypt

You’ll need to git-add and git-commit the newly created files

git add .gitattributes
git add .git-crypt
git commit .git-crypt .gitattributes -m "Added git crypt"
git push

That is it. The file will showup encrypted in your git repository gpg-encrypted-file

After cloning a repository with encrypted files, unlock with GPG:

git-crypt unlock

Adding new key to repository

For example you need to add one more contributor to your repository.

New contributor got to share his GPG key by exporting it:

gpg --armor --export USER_ID > USER_ID.gpg

You’ll need to import it, trust it and add user:

gpg --import USER_ID.gpg
gpg ––edit–key D2B3EAAF9A8D5DB93CC30B26CCA243599CC80727B
> trust
> save
> quit
git-crypt add-gpg-user D2B3EAAF9A8D5DB93CC30B26CCA243599CC80727B
  1. Securing your secret keys with git-crypt
  2. AGWA/git-crypt