File encryption in Git Repository

Asked 18/1, 2018 at 21:38 Answered 29/12, 2023 at 15:20

Is there any way (in built or add-on) to encrypt individual files in a repository, accessible by limited people. Files when checked in by those folks will auto encrypt and decrypt when checked out. They will stay encrypted if tried to be accessed by other people.

Fionafionna answered 18/1, 2018 at 21:38 Comment(6)

I do not know of anything that does this "off the shelf" as it were, but in theory, you can, through .gitattributes and clean and smudge filters, accomplish this goal. It's just a Small Matter of Programming... – Stickler 18/1, 2018 at 21:45

Have a look at github.com/AGWA/git-crypt – Shear 18/1, 2018 at 21:45

git-crypt — git-crypt enables transparent encryption and decryption of files in a git repository. Files which you choose to protect are encrypted when committed, and decrypted when checked out. git-crypt lets you freely share a repository containing a mix of public and private content. git-crypt gracefully degrades, so developers without the secret key can still clone and commit to a repository with encrypted files. – Tyus 18/1, 2018 at 21:45

@phd: git-crypt looks like just what I was thinking of (except they obviously know more than I do about encryption—I can follow the description but know nothing of the proof they mention, but it certainly sounds like the right idea). – Stickler 18/1, 2018 at 22:6

I am using gocryptfs at the bottom, and a normal git inside the mounted plain text drive – Hawfinch 11/12, 2019 at 19:2

@MartinMeeser With regard to gocryptfs, gec builds upon it to use a git repo on the outside. – Burkholder 12/11, 2020 at 3:40

I know my answer is late but there is plenty of alternatives for storing secrets in git repos:

Most of them use GNU Privacy Guard (GPG), symmetric key encryption, and/or cloud key services (SOPS). If you just want a simple encryption mechanism with password you can also take a look at ansible vault, which doesn't require generating keys for each account.

Afresh answered 11/2, 2020 at 9:44 Comment(4)

Git-crypt is simple and easy to use – Flattie 30/12, 2020 at 19:9

Git-crypt has had no releases since 2017. – Ceric 21/9, 2021 at 17:55

git-crypt 0.7.0 released on 2022-04-21 github.com/AGWA/git-crypt/releases/tag/0.7.0 – Scarcity 21/10, 2022 at 9:47

I also have good experience with git-crypt, but my followup question: is there a possibility to work with them on android (found no way for git-crypt (besides solutions like termux))? Or any other ideas how to conveniently open (git-)crypted files in a git-repo from android? – Chuckhole 4/3 at 15:35

Maybe Blackbox helps?

From their website (https://github.com/StackExchange/blackbox):

Safely store secrets in a VCS repo (i.e. Git, Mercurial, Subversion or Perforce). These commands make it easy for you to Gnu Privacy Guard (GPG) encrypt specific files in a repo so they are "encrypted at rest" in your repository. However, the scripts make it easy to decrypt them when you need to view or edit them, and decrypt them for use in production. Originally written for Puppet, BlackBox now works with any Git or Mercurial repository.

...

Rather than one GPG passphrase for all the files, each person with access has their own GPG keys in the system. Any file can be decrypted by anyone with their GPG key. This way, if one person leaves the company, you don't have to communicate a new password to everyone with access. Simply disable the one key that should no longer have access. The process for doing this is as easy as running 2 commands (1 to disable their key, 1 to re-encrypt all files.)

Himelman answered 18/1, 2018 at 21:49 Comment(0)

I created this to be a bit more simple and idempotent since Ansible vault did not offer a deterministic encryption method. It's probably not the recommended tool for all use cases but provides a very simple interface for encryption at rest. https://github.com/shyce/shield

Dyson answered 26/7, 2023 at 4:45 Comment(1)

Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center. – Crystallization 31/7, 2023 at 19:28

one way is to use Vim.

You can just open the file in Vim.

Then input command ":X"

input your password

And share the password to whom need to access it.

Day answered 29/12, 2023 at 15:20 Comment(1)

This is an easy solution, but whenever you write to the file and commit, git will save the new file in the repo (instead of the diff between the new file and the last version) as git cannot compute diffs on encrypted files. This eventually bloats the repo. – Ornithischian 11/7 at 12:17

Recommended topics

Hot tags