Use git-crypt & symmetric key kept inside a repo to encrypt some files in the repository
========================================================================================

Requirements
------------

1. [GnuPG](https://www.gnupg.org) aka "gpg"
2. [git-crypt](https://github.com/AGWA/git-crypt)

> you may totally ignore complicated gpg manuals, but you must understand how `git-crypt` operates. <br/>
> `gpg` 2.2+ uses AES256 by default, so your secrets are fully depend on the passphrase you are going to use.

Prepare repository for encryption
---------------------------------

> :skull::skull::skull: <br/>
> ¡ instructions are intentionally provided for empty repository, otherwise it cannot be guaranteed that files you are going to encrypt haven't been leaked to the repo in previous commits !

### Create repository & initialize encryption with git-crypt
```bash
mkdir encrypted-repo && cd encrypted-repo
git init && git-crypt init
curl --user GITHUB_NAME https://api.github.com/user/repos --data '{ "name": "encrypted-repo" }' && \
    git remote add origin https://github.com/GITHUB_NAME/encrypted-repo.git
```

### Encrypt just generated key using GPG and your super-password, save it as `local.key.asc`
```bash
git-crypt export-key -- - | gpg --symmetric --armor --output local.key.asc
```

### Add files which need to be encrypted to `.gitattributes`
```bash
echo "secretfile   filter=git-crypt diff=git-crypt" >> .gitattributes
echo "secretfile2  filter=git-crypt diff=git-crypt" >> .gitattributes
```

### Commit encrypted key, `.gitattributes` and `.gitignore`, set upsream tracking reference
```bash
git add local.key.asc .gitattributes .gitignore
git commit --message="Config: git-crypt settings"
git push --set-upstream origin master
```


Usage
-----

Follow your usual git workflow, git-crypt will take care of transparent encryption of selected files.
When you need the new file to be encrypted, add it to `.gitattributes` as stated in [Add files which need to be encrypted to `.gitattributes`](#add-files-which-need-to-be-encrypted-to-gitattributes).  

> :skull::skull::skull: <br/>
> ¡¡¡ Do it before adding with `git add` otherwise non-encrypted file will be committed & pushed to the Internet !!!


Decrypt repository in the new location
------------------------------------

### Clone & enter repo
```bash
git clone https://github.com/GITHUB_NAME/encrypted-repo.git && cd encrypted-repo
```

### Decrypt key by GPG and decrypt repo with it
```bash
gpg --decrypt local.key.asc | git-crypt unlock -
```

### You are done :sunglasses: :beers: !