Using git-crypt to encrypt sensitive data in your git repository
This is another note of the kind: “I don’t want to google for it next time I need it in few years”
Sometimes we need to store sensitive data in our git repository and it definitely should not be stored in plaintext. This is where git-crypt becomes very usefull. It allows to encrypt plaintext with the help of gpg keys. The enabledment is pretty simple.
GPG part
First make sure that you have gpg installed of the latest version:
gpg --version
Create a new key:
gpg --full-generate-key
Options to be defined:
- RSA and RSA
- 4096 bit
- defined whatever expiry you want. Normal practice is 1 year.
GIT repository part
List keys:
gpg -k
Inside your git repository run the following:
git-crypt init
git-crypt add-gpg-user USER_ID
Specify files to encrypt by creating a .gitattributes file:
secret.txt filter=git-crypt diff=git-crypt
*.key filter=git-crypt diff=git-crypt
You’ll need to git-add and git-commit the newly created files
git add .gitattributes
git add .git-crypt
git commit .git-crypt .gitattributes -m "Added git crypt"
git push
That is it. The file will showup encrypted in your git repository
After cloning a repository with encrypted files, unlock with GPG:
git-crypt unlock
Adding new key to repository
For example you need to add one more contributor to your repository.
New contributor got to share his GPG key by exporting it:
gpg --armor --export USER_ID > USER_ID.gpg
You’ll need to import it, trust it and add user:
gpg --import USER_ID.gpg
gpg ––edit–key D2B3EAAF9A8D5DB93CC30B26CCA243599CC80727B
> trust
> save
> quit
git-crypt add-gpg-user D2B3EAAF9A8D5DB93CC30B26CCA243599CC80727B