Tool of the Week: git-crypt

Ever wanted to commit sensitive data to a git repository in an encrypted way and didn’t know how?

Use git-crypt and selectively add whitelisted users who are allowed to look at the unencrypted file’s contents, while keeping the file encrypted for everybody else.

image

In this quick demo I will play through a simple workflow to show you the basics of working with git-crypt.

(Please note there might be typesetting issues with this version of wordpress, especially with < All pieces like cat < < DOC should not carry spaces in between the first < and <DOC and should rather be classic heredocs. Thank you for your patience.)

So, to begin with, let’s set up a small repository to play around with:

$ mkdir git-crypt-example && cd $_
$ cat &lt; README.md
git-crypt-example
=================

Play around with git-crypt.
DOC

$ git add .
$ git commit -am 'initial commit' 

Subsequently, we want to add sensitive data. In order to allow for this we need to

  • have git-crypt installed and
  • prepare the repository beforehand.

Warning: Never add a sensitive file to the repo before setting up the encryption part!

Creating the to-be-encrypted file but without adding it to the repo yet is definitely okay, though:

$ echo 'encrypt this!' &gt; secret.txt 

Following git-crypt’s instructions, let’s go ahead and take care of the required security measures by setting up encryption for this repository:

$ git crypt init
Generating key... 

And continue by adding the secret file’s name to the file.gitattributes

cat &lt; .gitattributes
secret.txt filter=git-crypt diff=git-crypt
*.key filter=git-crypt diff=git-crypt
DOC 

Now you should be fine adding the secret file to the repo:

$ git add secret.txt
$ git commit secret.txt -m 'add some data...' 

Finally, define who is allowed to access the unencrypted content of secret.txt by adding the respective person’s GPG credentials to git crypt. Probably the easiest will be the email address to uniquely identify the persons public GPG key. Try adding your own gpg-key by issuing the following:

git-crypt add-gpg-user my-gpg-user@example.com 

Although the secret file is still readable to you now (try less secret.txt in your current repo; which makes a lot of sense since it is you who added the sensitive data in the first place…), after pushing and cloning it to some other machine or directory, this will cease to be the case.

In the simplest case, try to clone the repository on your machine to some other directory:

tmp/ $ git clone ~/path/to/git-crypt-example && cd git-crypt-example
tmp/ $ less secret.txt
...BINARY-MUMBO-JUMBO... 

Since you added your own email address to the whitelist of people, unlocking the secret file should work for you:

tmp/ $ git-crypt unlock
tmp/ $ less secret.txt
encrypt this! 

This is all there is to it and should cover everything it takes to be able to add sensitive data to git repositories. Have a lot of fun.

KTHXBYE!