git-crypt — Transparent Encryption for Files in Git

Introduction

git-crypt adds transparent file-level encryption to git repositories. Designated files are automatically encrypted on push and decrypted on checkout, so authorized developers see plaintext while the remote stores ciphertext. It lets teams keep configuration secrets, certificates, and credentials in the same repo as their code.

What git-crypt Does

• Encrypts specified files using AES-256 before they are committed to the repository
• Decrypts those files automatically when an authorized user checks them out
• Uses GPG keys to manage access so each collaborator can unlock with their own key
• Supports symmetric key export for use in CI/CD pipelines and automated deployments
• Leaves unencrypted files completely untouched, working alongside normal git operations

Architecture Overview

git-crypt works as a git clean/smudge filter and a git diff filter. When a file matching the .gitattributes pattern is staged, the clean filter encrypts its contents with AES-256-CTR. When the file is checked out, the smudge filter decrypts it. The encryption key is itself encrypted with each authorized GPG public key and stored in .git-crypt/. The tool is written in C++ and depends on OpenSSL and GnuPG.

Self-Hosting & Configuration

• Install via Homebrew, apt, or compile from source (requires OpenSSL and GnuPG)
• Run git-crypt init once per repository to generate the symmetric key
• Define which files to encrypt in .gitattributes using glob patterns
• Grant access to team members with git-crypt add-gpg-user GPG_KEY_ID
• For CI, export a symmetric key file and use git-crypt unlock /path/to/key

Key Features

• Encryption is transparent: git diff, git log -p, and git blame show plaintext for authorized users
• No changes to your git workflow; you commit, push, and pull as usual
• Supports multiple GPG keys so each team member has independent access
• Encrypted files are indistinguishable from binary blobs to unauthorized users
• Works with any git hosting service since encryption happens client-side

Comparison with Similar Tools

• SOPS (Mozilla) — encrypts values inside structured files (YAML, JSON); git-crypt encrypts entire files transparently
• Sealed Secrets — designed for Kubernetes secrets management; git-crypt is a general-purpose git encryption tool
• HashiCorp Vault — centralized secrets management service; git-crypt stores secrets directly in the repo
• git-secret — similar concept using GPG; git-crypt is implemented in C++ and integrates more deeply with git filters

FAQ

Q: What happens if someone without access clones the repo? A: Encrypted files appear as binary blobs. The rest of the repo works normally.

Q: Can I revoke access for a team member? A: You need to remove their GPG key, re-key the repository, and force push. There is no built-in revocation command.

Q: Is it safe to store production secrets this way? A: It is suitable for small teams and projects. For larger organizations, a dedicated secrets manager like Vault provides better audit trails and rotation.

Q: Does git-crypt encrypt commit messages or branch names? A: No. Only file contents matching the .gitattributes patterns are encrypted.

Sources

• https://github.com/AGWA/git-crypt
• https://www.agwa.name/projects/git-crypt/