# git-crypt — Transparent Encryption for Files in Git > A tool that enables transparent encryption and decryption of files in a git repository, letting you store secrets alongside code safely. ## Install Save in your project root: # git-crypt — Transparent Encryption for Files in Git ## Quick Use ```bash # Install on macOS brew install git-crypt # Initialize in a repository git-crypt init # Specify files to encrypt via .gitattributes echo "secrets/** filter=git-crypt diff=git-crypt" >> .gitattributes # Add a GPG collaborator git-crypt add-gpg-user USER_ID # Export a symmetric key for CI git-crypt export-key /path/to/keyfile ``` ## Introduction git-crypt adds transparent file-level encryption to git repositories. Designated files are automatically encrypted on push and decrypted on checkout, so authorized developers see plaintext while the remote stores ciphertext. It lets teams keep configuration secrets, certificates, and credentials in the same repo as their code. ## What git-crypt Does - Encrypts specified files using AES-256 before they are committed to the repository - Decrypts those files automatically when an authorized user checks them out - Uses GPG keys to manage access so each collaborator can unlock with their own key - Supports symmetric key export for use in CI/CD pipelines and automated deployments - Leaves unencrypted files completely untouched, working alongside normal git operations ## Architecture Overview git-crypt works as a git clean/smudge filter and a git diff filter. When a file matching the .gitattributes pattern is staged, the clean filter encrypts its contents with AES-256-CTR. When the file is checked out, the smudge filter decrypts it. The encryption key is itself encrypted with each authorized GPG public key and stored in `.git-crypt/`. The tool is written in C++ and depends on OpenSSL and GnuPG. ## Self-Hosting & Configuration - Install via Homebrew, apt, or compile from source (requires OpenSSL and GnuPG) - Run `git-crypt init` once per repository to generate the symmetric key - Define which files to encrypt in `.gitattributes` using glob patterns - Grant access to team members with `git-crypt add-gpg-user GPG_KEY_ID` - For CI, export a symmetric key file and use `git-crypt unlock /path/to/key` ## Key Features - Encryption is transparent: `git diff`, `git log -p`, and `git blame` show plaintext for authorized users - No changes to your git workflow; you commit, push, and pull as usual - Supports multiple GPG keys so each team member has independent access - Encrypted files are indistinguishable from binary blobs to unauthorized users - Works with any git hosting service since encryption happens client-side ## Comparison with Similar Tools - **SOPS (Mozilla)** — encrypts values inside structured files (YAML, JSON); git-crypt encrypts entire files transparently - **Sealed Secrets** — designed for Kubernetes secrets management; git-crypt is a general-purpose git encryption tool - **HashiCorp Vault** — centralized secrets management service; git-crypt stores secrets directly in the repo - **git-secret** — similar concept using GPG; git-crypt is implemented in C++ and integrates more deeply with git filters ## FAQ **Q: What happens if someone without access clones the repo?** A: Encrypted files appear as binary blobs. The rest of the repo works normally. **Q: Can I revoke access for a team member?** A: You need to remove their GPG key, re-key the repository, and force push. There is no built-in revocation command. **Q: Is it safe to store production secrets this way?** A: It is suitable for small teams and projects. For larger organizations, a dedicated secrets manager like Vault provides better audit trails and rotation. **Q: Does git-crypt encrypt commit messages or branch names?** A: No. Only file contents matching the .gitattributes patterns are encrypted. ## Sources - https://github.com/AGWA/git-crypt - https://www.agwa.name/projects/git-crypt/ --- Source: https://tokrepo.com/en/workflows/asset-f0510f60 Author: AI Open Source