Git repo encryption

Securely storing secrets in Git: transcrypt, git-crypt, git-secret, and SOPS

transcrypt

• Github
• Not Debian packaged

git-secret

• Website
• Github
• Debian packaged

git-remote-gcrypt

• Website
• Github
• Still actively maintained
• Debian packaged
• Encrypts the whole repo, instead of single files like git-crypt

Known issues:

gcrypt.require-explicit-force-push

A longstanding bug is that every git push effectively has a --force.
If this flag is set to true, git-remote-gcrypt will refuse to push, unless
`--force` is passed, or refspecs are prefixed with `+`.

git-crypt

• Github
• Debian packaged
• Mixed plain/encrypted mode, specific files need to get whitelisted for encryption in .gitattributes.

Main issue:

All used keys must be trusted by (l)-signing them ! Improve usability/documentation with untrusted GPG keys

Install

apt install git-crypt

Init

git-crypt init
# add Varac's key
git-crypt add-gpg-user 0x54...
...

Add files

echo 'sshkeys/gitlab-runner_ssh filter=git-crypt diff=git-crypt' >> .gitattributes
git add .gitattributes
git check-attr -a sshkeys/gitlab-runner_ssh

Make sure to unlock repo before adding files:

git add sshkeys/gitlab-runner_ssh
git commit
git-crypt status -e

Verify:

git-crypt lock
strings sshkeys/gitlab-runner_ssh
git-crypt unlock

git push