Transparent Git Encryption
There is some controversy over using this technique, so do your research and understand the implications of using this tool before you go crazy with it.
Openssl must be installed and the binary must be available in your $PATH.
Clone git-encrypt somewhere on your local machine:
$ git clone https://github.com/shadowhand/git-encrypt $ cd git-encrypt
gitcrypt command must be executable:
$ chmod 0755 gitcrypt
And it must be accessible in your
$ sudo ln -s gitcrypt /usr/local/bin/gitcrypt
To quickly setup gitcrypt interactively, run
gitcrypt init from the root
of your git repository. It will ask you for a passphrase, shared salt,
cipher mode, and what files should be encrypted.
$ cd my-repo $ gitcrypt init
Your repository is now set up! Any time you
git add a file that matches the
filter pattern the
clean filter is applied, automatically encrypting the file
before it is staged. Using
git diff will work normally, as it automatically
decrypts file content as necessary.
First, you will need to add a shared salt (16 hex characters) and a secure passphrase to your git configuration:
$ git config gitcrypt.salt 0000000000000000 $ git config gitcrypt.pass my-secret-phrase
It is possible to set these options globally using
git config --global, but more secure to create a separate passphrase for every repository.
The default encryption cipher is
aes-256-ebc, which should be suitable
for almost everyone. However, it is also possible to use a different cipher:
$ git config gitcrypt.cipher aes-256-ebc
An "ECB" mode is used because it encrypts in a format that provides usable text diff, meaning that a single change will not cause the entire file to be internally marked as changed. Because a static salt must be used, using "CBC" would provide very little, if any, increased security over "ECB" mode.
To encrypt all the files in the repo:
* filter=encrypt diff=encrypt [merge] renormalize = true
To encrypt only one file, you could do this:
secret.txt filter=encrypt diff=encrypt
Or to encrypt all ".secure" files:
*.secure filter=encrypt diff=encrypt
If you want this mapping to be included in your repository, use a
.gitattributesfile instead and do not encrypt it.
Next, you need to map the
encrypt filter to
$ git config filter.encrypt.smudge "gitcrypt smudge" $ git config filter.encrypt.clean "gitcrypt clean" $ git config diff.encrypt.textconv "gitcrypt diff"
Or if you prefer to manually edit
[filter "encrypt"] smudge = gitcrypt smudge clean = gitcrypt clean [diff "encrypt"] textconv = gitcrypt diff
To set up decryption from a clone, you will need to repeat the same setup on the new clone.
First, clone the repository, but do not perform a checkout:
$ git clone -n git://github.com/johndoe/encrypted.get $ cd encrypted
If you do a
git statusnow, it will show all your files as being deleted. Do not fear, this is actually what we want right now, because we need to setup gitcrypt before doing a checkout.
Now you can either run
gitcrypt init or do the same manual configuration that
performed on the original repository.
Once configuration is complete, reset and checkout all the files:
$ git reset --hard HEAD
All the files in the are now decrypted and ready to be edited.
Alternate method: git-encrypt-init.sh
Contributed by Jay Taylor
The git-encrypt-init.sh shell script automatically performs all prepartion,
setup and configuration for a local repository clone, prompting the user for
any required information (salt and password phrases.) This method of also
ensures that the git-encrypt scripts are automatically installed to
~/.gitencrypt/. One drawback to this approach is that it only supports having
One reason to use this alternate approach is because it makes decrypting cloned repositories as simple as executing one script.
Once you've cloned git-encrypt using the alternate script is straightforward:
$ cd /path/to/your/repository $ sh /path/to/git-encrypt/git-encrypt-init.sh
Then you can add the files you would like to have encrypted to the .gitattributes file contained in the root of your repository.