Initialise the repository:
$ git-crypt init
Create a directory for secrets and use a .gitattributes
file to
ensure all files in the secrets
directory are always encrypted.
$ cat .gitattributes
secrets/** filter=git-crypt diff=git-crypt
.gitattributes !filter !diff
Add and commit the .gitattributes
file:
$ git add .gitattributes
$ git commit -m "Add .gitattributes for secrets directory encryption" .gitattributes
Use a .gitattributes
file to ensure all files in the repository are
always encrypted.
$ cat .gitattributes
** filter=git-crypt diff=git-crypt
.gitattributes !filter !diff
Add and commit the .gitattributes
file:
$ git add .gitattributes
$ git commit -m "Add .gitattributes for repository-wide encryption" .gitattributes
Export a symmetric secret key, base64 encode it, and store it in a secure location (e.g., pass, Bitwarden, etc.).
$ git-crypt export-key - | base64 | pbcopy
Or to add this key directly to your pass
password store:
$ git-crypt export-key - | base64 | pass insert -m <pass-name>
If you need to decrypt the files in this repository on another machine, simply decode the key from your password manager before using it.
$ pass show <pass-name> | base64 --decode | git-crypt unlock -
Or using pbpaste
if you have the key in the clipboard:
$ pbpaste | base64 --decode | git-crypt unlock -
To verify that all files are encrypted based on the status reported by
git-crypt
, use the following command:
$ git-crypt status
This command will display the encryption status of files in your
repository. Ensure that the files you expect to be encrypted are
listed as such. If any files are not encrypted as expected, check your
.gitattributes
configuration and ensure git-crypt
has been
correctly set up for those files.