Skip to content

Instantly share code, notes, and snippets.

@turboBasic

turboBasic/Use-symmetric-key-to-encrypt-repository.md

Last active October 31, 2024 15:14
Show Gist options
  • Save turboBasic/29d00adf652aa0a8a582478c95cd566a to your computer and use it in GitHub Desktop.
Save turboBasic/29d00adf652aa0a8a582478c95cd566a to your computer and use it in GitHub Desktop.
Download ZIP
Use git-crypt & symmetric key kept inside a repo to encrypt some files in the repository
Raw
Use-symmetric-key-to-encrypt-repository.md

Use git-crypt & symmetric key kept inside a repo to encrypt some files in the repository

Requirements

  1. GnuPG aka "gpg"
  2. git-crypt

you may totally ignore complicated gpg manuals, but you must understand how git-crypt operates.
gpg 2.2+ uses AES256 by default, so your secrets are fully depend on the passphrase you are going to use.

Prepare repository for encryption

πŸ’€πŸ’€πŸ’€
Β‘ instructions are intentionally provided for empty repository, otherwise it cannot be guaranteed that files you are going to encrypt haven't been leaked to the repo in previous commits !

Create repository & initialize encryption with git-crypt

mkdir encrypted-repo && cd encrypted-repo
git init && git-crypt init
curl --user GITHUB_NAME https://api.github.com/user/repos --data '{ "name": "encrypted-repo" }' && \
    git remote add origin https://github.com/GITHUB_NAME/encrypted-repo.git

Encrypt just generated key using GPG and your super-password, save it as local.key.asc

git-crypt export-key -- - | gpg --symmetric --armor --output local.key.asc

Add files which need to be encrypted to .gitattributes

echo "secretfile   filter=git-crypt diff=git-crypt" >> .gitattributes
echo "secretfile2  filter=git-crypt diff=git-crypt" >> .gitattributes

Commit encrypted key, .gitattributes and .gitignore, set upsream tracking reference

git add local.key.asc .gitattributes .gitignore
git commit --message="Config: git-crypt settings"
git push --set-upstream origin master

Usage

Follow your usual git workflow, git-crypt will take care of transparent encryption of selected files. When you need the new file to be encrypted, add it to .gitattributes as stated in Add files which need to be encrypted to .gitattributes.

πŸ’€πŸ’€πŸ’€
‘‘‘ Do it before adding with git add otherwise non-encrypted file will be committed & pushed to the Internet !!!

Decrypt repository in the new location

Clone & enter repo

git clone https://github.com/GITHUB_NAME/encrypted-repo.git && cd encrypted-repo

Decrypt key by GPG and decrypt repo with it

gpg --decrypt local.key.asc | git-crypt unlock -

You are done 😎 🍻 !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment