git-crypt setup

README-git-crypt.md

Initialise Repository with git-crypt

Initialise the repository:

$ git-crypt init

Git Attributes Setup

Encrypting All Files in the secrets Directory

Create a directory for secrets and use a .gitattributes file to ensure all files in the secrets directory are always encrypted.

$ cat .gitattributes
secrets/** filter=git-crypt diff=git-crypt
.gitattributes !filter !diff

Add and commit the .gitattributes file:

$ git add .gitattributes
$ git commit -m "Add .gitattributes for secrets directory encryption" .gitattributes

Encrypting All Files in the Repository

Use a .gitattributes file to ensure all files in the repository are always encrypted.

$ cat .gitattributes
** filter=git-crypt diff=git-crypt
.gitattributes !filter !diff

Add and commit the .gitattributes file:

$ git add .gitattributes
$ git commit -m "Add .gitattributes for repository-wide encryption" .gitattributes

Export the Symmetric Key

Export a symmetric secret key, base64 encode it, and store it in a secure location (e.g., pass, Bitwarden, etc.).

$ git-crypt export-key - | base64 | pbcopy

Or to add this key directly to your pass password store:

$ git-crypt export-key - | base64 | pass insert -m <pass-name>

Restore the Symmetric Key

If you need to decrypt the files in this repository on another machine, simply decode the key from your password manager before using it.

$ pass show <pass-name> | base64 --decode | git-crypt unlock -

Or using pbpaste if you have the key in the clipboard:

$ pbpaste | base64 --decode | git-crypt unlock -

Verify Encryption Status

To verify that all files are encrypted based on the status reported by git-crypt, use the following command:

$ git-crypt status

This command will display the encryption status of files in your repository. Ensure that the files you expect to be encrypted are listed as such. If any files are not encrypted as expected, check your .gitattributes configuration and ensure git-crypt has been correctly set up for those files.