In short, git-crypt is a tool that allows you to encrypt and decrypt files with GPG keys in the background of Git commands. Once the tool is properly configured, the files are encrypted on push to and decrypted when fetched from the remote server.
NOTE: git-crypt is not a super secure encryption, and does not replace the need to protect the repo behind 2FA. It's use is to allow us to share code level data that should not be saved with our codebase (i.e. external credentials) but that we still wish to share with the team.
Based on this guide.
-
Mac OS
brew install git-crypt brew install gpg
In case of problems, make sure that you have the Homebrew package manager installed.
-
Linux
apt-get install -y git-crypt sudo apt-get install gnupg
-
Windows
First, create a new directory and add two files:
mkdir myrepo
cd myrepo
echo “everybody can read it” > README.md
echo “this file has sensitive data” > secrets.txt
After that, initialize Git and git-crypt:
git init
git-crypt init
During the git-crypt initialization a key for encryption will be generated.
In the directory with the sensitive data, add a .gitattributes file and define which files should be encrypted. In our case, this will be secrets.txt:
secrets.txt filter=git-crypt diff=git-crypt
Create new definitions for each file. You can also add patterns in the following way:
*.key filter=git-crypt diff=git-crypt
secretdir/** filter=git-crypt diff=git-crypt
A good practice is to add a line to prevent encrypting the .gitattributes file itself:
.gitattributes !filter !diff
To check if the defined conditions work, run the following: git-crypt status -e
From now on the files will be automatically encrypted on every push, i.e. you will be able to read and edit them in your local working copy, but on the remote and in other working copies the files will be encrypted.
If you already have a repository with committed files with secrets, git-crypt will only encrypt their new versions. Make sure to remove the files from the entire repository history before employing git-crypt.
git add .
git commit -m ‘init commit’
git remote add origin REMOTE_URL
git push master
Once you open secrets.txt on the remote, you will see that it’s an encrypted binary file:
Secrets.txt in repository
Secrets.txt in repository
If an unauthorized person (i.e. without a proper GPG key) clones the repository, the files in their working copy will also be encrypted. If you want your teammates to view and edit those files, you can do one of two things:
Begin with exporting the key that you used for encryption: git-crypt export-key path/where/key/should/be/saved
The exported key should be passed to your team members in a secure way. They can now decrypt the repository by running: git-crypt unlock path/to/key
The files in the repository will be decrypted for as long as you run git-crypt lock. All newly fetched changes will also be decrypted automatically.
First, the person we want to authorize needs to create their own GPG key. While creating it, they will be asked to enter an e-mail address: gpg --gen-key
After that, they need to list the keys and copy the key ID: gpg --list-keys
The key ID is the string displayed after the key expiry date.
The last step is printing the key and passing it to the admin that will be granting the permissions to git-crypt: gpg --export --armor $KEY_ID
Now, the admin that grants the git-crypt rights has to save the GPG key on their disk and import it with the following command: gpg --import /path/to/file
After importing it, they need to add the key as trusted to git-crypt in the repository: git-crypt add-gpg-user --trusted $EMAIL
The email address is the address that was entered by the user while generating the key (it can be viewed by listing the keys).
After committing changes to the repository, the new user is now able to decrypt the files in their working copy by running: git-crypt unlock