Transparent Git Encryption
Switch branches/tags
Clone or download
Pull request Compare This branch is 39 commits ahead, 2 commits behind shadowhand:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

Transparent Git Encryption

The gitcrypt tool is inspired by this document written by Ning Shang, which was in turn inspired by this post. Without these two documents, by people much smarter than me, gitcrypt would not exist.

There is some controversy over using this technique, so do your research and understand the implications of using this tool before you go crazy with it.


Openssl must be installed and the binary must be available in your $PATH.


Clone git-encrypt somewhere on your local machine:

$ git clone
$ cd git-encrypt

The gitcrypt command must be executable:

$ chmod 0755 gitcrypt

And it must be accessible in your $PATH:

$ sudo ln -s gitcrypt /usr/local/bin/gitcrypt


To quickly setup gitcrypt interactively, run gitcrypt init from the root of your git repository. It will ask you for a passphrase, shared salt, cipher mode, and what files should be encrypted.

$ cd my-repo
$ gitcrypt init

Your repository is now set up! Any time you git add a file that matches the filter pattern the clean filter is applied, automatically encrypting the file before it is staged. Using git diff will work normally, as it automatically decrypts file content as necessary.

Manual Configuration

First, you will need to add a shared salt (16 hex characters) and a secure passphrase to your git configuration:

$ git config gitcrypt.salt 0000000000000000
$ git config gitcrypt.pass my-secret-phrase

It is possible to set these options globally using git config --global, but more secure to create a separate passphrase for every repository.

The default encryption cipher is aes-256-ebc, which should be suitable for almost everyone. However, it is also possible to use a different cipher:

$ git config gitcrypt.cipher aes-256-ebc

An "ECB" mode is used because it encrypts in a format that provides usable text diff, meaning that a single change will not cause the entire file to be internally marked as changed. Because a static salt must be used, using "CBC" would provide very little, if any, increased security over "ECB" mode.

Next, you need to define what files will be automatically encrypted using the .git/info/attributes file. Any file pattern format can be used here.

To encrypt all the files in the repo:

* filter=encrypt diff=encrypt
    renormalize = true

To encrypt only one file, you could do this:

secret.txt filter=encrypt diff=encrypt

Or to encrypt all ".secure" files:

*.secure filter=encrypt diff=encrypt

If you want this mapping to be included in your repository, use a .gitattributes file instead and do not encrypt it.

Next, you need to map the encrypt filter to gitcrypt:

$ git config filter.encrypt.smudge "gitcrypt smudge"
$ git config filter.encrypt.clean "gitcrypt clean"
$ git config diff.encrypt.textconv "gitcrypt diff"

Or if you prefer to manually edit .git/config:

[filter "encrypt"]
    smudge = gitcrypt smudge
    clean = gitcrypt clean
[diff "encrypt"]
    textconv = gitcrypt diff

Decrypting Clones

To set up decryption from a clone, you will need to repeat the same setup on the new clone.

First, clone the repository, but do not perform a checkout:

$ git clone -n git://
$ cd encrypted

If you do a git status now, it will show all your files as being deleted. Do not fear, this is actually what we want right now, because we need to setup gitcrypt before doing a checkout.

Now you can either run gitcrypt init or do the same manual configuration that performed on the original repository.

Once configuration is complete, reset and checkout all the files:

$ git reset --hard HEAD

All the files in the are now decrypted and ready to be edited.

Alternate method:

Contributed by Jay Taylor

The shell script automatically performs all prepartion, setup and configuration for a local repository clone, prompting the user for any required information (salt and password phrases.) This method of also ensures that the git-encrypt scripts are automatically installed to ~/.gitencrypt/. One drawback to this approach is that it only supports having 1 password.

One reason to use this alternate approach is because it makes decrypting cloned repositories as simple as executing one script.


Once you've cloned git-encrypt using the alternate script is straightforward:

$ cd /path/to/your/repository
$ sh /path/to/git-encrypt/

Then you can add the files you would like to have encrypted to the .gitattributes file contained in the root of your repository.


Enjoy your secure git repository! If you think gitcrypt is totally awesome, you could buy me something or donate some money.