Skip to content

Instantly share code, notes, and snippets.

@turboBasic

turboBasic/Use-symmetric-key-to-encrypt-repository.md

Last active October 31, 2024 15:14
Show Gist options
  • Save turboBasic/29d00adf652aa0a8a582478c95cd566a to your computer and use it in GitHub Desktop.
Save turboBasic/29d00adf652aa0a8a582478c95cd566a to your computer and use it in GitHub Desktop.
Download ZIP
Use git-crypt & symmetric key kept inside a repo to encrypt some files in the repository
Raw
README.md

Use symmetric key kept in the repo to encrypt the repo

Requirements

  1. GnuPG aka "gpg"
  2. git-crypt

Prepare repository for encryption

πŸ’€πŸ’€πŸ’€
Β‘ instructions are intentionally provided for empty repository, otherwise it cannot be guaranteed that files you are going to encrypt haven't been leaked to the repo in previous commits !

Create repository & initialize encryption with git-crypt

mkdir my-encrypted-repo
cd my-encrypted-repo
git init && git-crypt init
curl --user YOUR_GITHUB_NAME https://api.github.com/user/repos --data '{"name":"my-encrypted-repo"}' && \
    git remote add origin https://github.com/YOUR_GITHUB_NAME/my-encrypted-repo.git

Encrypt just generated key using GPG and your super-password, save it as local.key.asc

git-crypt export-key -- - | gpg --symmetric --armor --output local.key.asc

Add files which need to be encrypted to .gitattributes

echo "secretfile   filter=git-crypt diff=git-crypt" >> .gitattributes
echo "secretfile2  filter=git-crypt diff=git-crypt" >> .gitattributes

Commit encrypted key, .gitattributes and .gitignore, set upsream tracking reference

git add local.key.asc .gitattributes .gitignore
git commit --message="Config: git-crypt settings"
git push --set-upstream origin master

Usage

Follow your usual git workflow, git-crypt will take care of transparent encryption of selected files. When you need the new file to be encrypted, add it to .gitattributes as stated in Add files which need to be encrypted to .gitattributes.

πŸ’€πŸ’€πŸ’€
‘‘‘ Do it before adding with git add otherwise non-encrypted file will be committed & pushed to the Internet !!!

Decrypt repository in the new location

Clone & enter repo

git clone https://github.com/you/your-repo.git
cd your-repo

Decrypt key by GPG and decrypt repo with it

gpg --decrypt local.key.asc | git-crypt unlock -

You are done 😎 🍻 !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment