Git Crypt

Installation and Prerequisites

Install both git-crypt and gpg with your method of choice (nix, brew, etc. on unix).

Initialize GPG Key

Create a new gpg key for yourself with

user1$ gpg --full-gen-key

Follow the instructions on screen to generate a key.

The following text gives an example of printing out all keys on the system

The critical key-id below 366741AF75170666 will need to be saved for later use when adding keys to the project git-crypt.

user1$ gpg --list-secret-keys --keyid-format=LONG

pub   rsa4096/366741AF75170666 2025-01-29 [SC]
      09E7EAC1A57FD3C75778BBFA366741AF75170666
uid                 [ultimate] plharvey (Unexpiring gpg key for at-trad projects) <plharvey@wisc.edu>
sub   rsa4096/6C8919581695778A 2025-01-29 [E]

Initialization of Project

Initialize a new git-crypt repository with the init command:

user1$ git-crypt init

Then add the corresponding key you created for your username with the keyid:

user1$ git-crypt add-gpg-user --trusted 366741AF75170666

Add any files that you need to encrypt to the .gitattributes file at the root of the project:

# In .gitattributes file
secrets.yaml filter=git-crypt diff=git-crypt

Then commit the files to the working branch and push to the remote repository.

Initializing Other Users

Another user user2 requires access to the repository, but must first decrypt the repository after cloning the remote repository to their machine.

Follow the same steps for user2 to create their own key. Then export the public key to a file to be shared with user1.

user2$ gpg --armor --export -o public-key abc123def456

user1 must then import that public key with git-crypt and push this key to the remote repository.

user1$ gpg import public-key
user1$ git-crypt add-gpg-user --trusted abc123def456

user1$ git commit -am "added user2 to git-crypt"
user1$ git push origin add-user2-to-git-crypt

Now once user2 is enabled to work on the repository, they can pull the branch and git unlock their local repository thus enabling them to work with the code locally.

user2$ git-crypt unlock

Initializing Repository with Symmetric Key

Alternatively, an already authorized user such as user1 may create a symmetric key for unlocking the repository for use in environments (like gitlab-runner jobs) where the job must be able to temporarily access the encrypted files.

# user1 on their local machine
user1$ git-crypt export-key KEY_FILE 

# Store KEY_FILE in gitlab-variable or secret manager

...

# In the gitlab-runner job which requires access to secrets.yaml
runner-job-1$ git-crypt unlock KEY_FILE

Source and Credits

Adapted from source https://www.glennklockwood.com/sysadmin-howtos/git-crypt.html for use with at-trad projects.

#programming