{"id":13417838,"url":"https://github.com/AGWA/git-crypt","last_synced_at":"2025-03-15T02:31:45.752Z","repository":{"id":6009614,"uuid":"7232856","full_name":"AGWA/git-crypt","owner":"AGWA","description":"Transparent file encryption in git","archived":false,"fork":false,"pushed_at":"2024-09-03T23:34:41.000Z","size":341,"stargazers_count":8321,"open_issues_count":134,"forks_count":480,"subscribers_count":89,"default_branch":"master","last_synced_at":"2024-10-29T10:54:56.435Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://www.agwa.name/projects/git-crypt/","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AGWA.png","metadata":{"files":{"readme":"README","changelog":"NEWS","contributing":"CONTRIBUTING.md","funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2012-12-19T00:43:59.000Z","updated_at":"2024-10-28T17:59:49.000Z","dependencies_parsed_at":"2024-10-26T14:06:06.431Z","dependency_job_id":"f9b29b4f-ceae-489c-a479-556cc34227aa","html_url":"https://github.com/AGWA/git-crypt","commit_stats":{"total_commits":192,"total_committers":16,"mean_commits":12.0,"dds":0.09895833333333337,"last_synced_commit":"08dbdcfed4fb182c0efaacb32a6c46481ced095b"},"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AGWA%2Fgit-crypt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AGWA%2Fgit-crypt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AGWA%2Fgit-crypt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AGWA%2Fgit-crypt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AGWA","download_url":"https://codeload.github.com/AGWA/git-crypt/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243674985,"owners_count":20329183,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-30T22:00:53.651Z","updated_at":"2025-03-15T02:31:45.503Z","avatar_url":"https://github.com/AGWA.png","language":"C++","funding_links":[],"categories":["C++","TODO scan for Android support in followings","HarmonyOS","Git","\u003ca name=\"cpp\"\u003e\u003c/a\u003eC++","C++ (70)","others","Tools","Secret Management"],"sub_categories":["Windows Manager","Snippets Manager","Plugins"],"readme":"ABOUT GIT-CRYPT\n\ngit-crypt enables transparent encryption and decryption of files in a\ngit repository.  Files which you choose to protect are encrypted when\ncommitted, and decrypted when checked out.  git-crypt lets you freely\nshare a repository containing a mix of public and private content.\ngit-crypt gracefully degrades, so developers without the secret key can\nstill clone and commit to a repository with encrypted files.  This lets\nyou store your secret material (such as keys or passwords) in the same\nrepository as your code, without requiring you to lock down your entire\nrepository.\n\ngit-crypt was written by Andrew Ayer \u003cagwa@andrewayer.name\u003e.  For more\ninformation, see \u003chttps://www.agwa.name/projects/git-crypt\u003e.\n\n\nBUILDING GIT-CRYPT\n\nSee the INSTALL file.\n\n\nUSING GIT-CRYPT\n\nConfigure a repository to use git-crypt:\n\n\t$ cd repo\n\t$ git-crypt init\n\nSpecify files to encrypt by creating a .gitattributes file:\n\n\tsecretfile filter=git-crypt diff=git-crypt\n\t*.key filter=git-crypt diff=git-crypt\n\tsecretdir/** filter=git-crypt diff=git-crypt\n\nLike a .gitignore file, it can match wildcards and should be checked into\nthe repository.  See below for more information about .gitattributes.\nMake sure you don't accidentally encrypt the .gitattributes file itself\n(or other git files like .gitignore or .gitmodules).  Make sure your\n.gitattributes rules are in place *before* you add sensitive files, or\nthose files won't be encrypted!\n\nShare the repository with others (or with yourself) using GPG:\n\n\t$ git-crypt add-gpg-user USER_ID\n\nUSER_ID can be a key ID, a full fingerprint, an email address, or anything\nelse that uniquely identifies a public key to GPG (see \"HOW TO SPECIFY\nA USER ID\" in the gpg man page).  Note: `git-crypt add-gpg-user` will\nadd and commit a GPG-encrypted key file in the .git-crypt directory of\nthe root of your repository.\n\nAlternatively, you can export a symmetric secret key, which you must\nsecurely convey to collaborators (GPG is not required, and no files\nare added to your repository):\n\n\t$ git-crypt export-key /path/to/key\n\nAfter cloning a repository with encrypted files, unlock with GPG:\n\n\t$ git-crypt unlock\n\nOr with a symmetric key:\n\n\t$ git-crypt unlock /path/to/key\n\nThat's all you need to do - after git-crypt is set up (either with\n`git-crypt init` or `git-crypt unlock`), you can use git normally -\nencryption and decryption happen transparently.\n\n\nCURRENT STATUS\n\nThe latest version of git-crypt is 0.7.0, released on 2022-04-21.\ngit-crypt aims to be bug-free and reliable, meaning it shouldn't\ncrash, malfunction, or expose your confidential data.  However,\nit has not yet reached maturity, meaning it is not as documented,\nfeatureful, or easy-to-use as it should be.  Additionally, there may be\nbackwards-incompatible changes introduced before version 1.0.\n\n\nSECURITY\n\ngit-crypt is more secure than other transparent git encryption systems.\ngit-crypt encrypts files using AES-256 in CTR mode with a synthetic IV\nderived from the SHA-1 HMAC of the file.  This mode of operation is\nprovably semantically secure under deterministic chosen-plaintext attack.\nThat means that although the encryption is deterministic (which is\nrequired so git can distinguish when a file has and hasn't changed),\nit leaks no information beyond whether two files are identical or not.\nOther proposals for transparent git encryption use ECB or CBC with a\nfixed IV.  These systems are not semantically secure and leak information.\n\n\nLIMITATIONS\n\ngit-crypt relies on git filters, which were not designed with encryption\nin mind.  As such, git-crypt is not the best tool for encrypting most or\nall of the files in a repository. Where git-crypt really shines is where\nmost of your repository is public, but you have a few files (perhaps\nprivate keys named *.key, or a file with API credentials) which you\nneed to encrypt.  For encrypting an entire repository, consider using a\nsystem like git-remote-gcrypt \u003chttps://spwhitton.name/tech/code/git-remote-gcrypt/\u003e\ninstead.  (Note: no endorsement is made of git-remote-gcrypt's security.)\n\ngit-crypt does not encrypt file names, commit messages, symlink targets,\ngitlinks, or other metadata.\n\ngit-crypt does not hide when a file does or doesn't change, the length\nof a file, or the fact that two files are identical (see \"Security\"\nsection above).\n\ngit-crypt does not support revoking access to an encrypted repository\nwhich was previously granted. This applies to both multi-user GPG\nmode (there's no del-gpg-user command to complement add-gpg-user)\nand also symmetric key mode (there's no support for rotating the key).\nThis is because it is an inherently complex problem in the context\nof historical data. For example, even if a key was rotated at one\npoint in history, a user having the previous key can still access\nprevious repository history. This problem is discussed in more detail in\n\u003chttps://github.com/AGWA/git-crypt/issues/47\u003e.\n\nFiles encrypted with git-crypt are not compressible.  Even the smallest\nchange to an encrypted file requires git to store the entire changed file,\ninstead of just a delta.\n\nAlthough git-crypt protects individual file contents with a SHA-1\nHMAC, git-crypt cannot be used securely unless the entire repository is\nprotected against tampering (an attacker who can mutate your repository\ncan alter your .gitattributes file to disable encryption).  If necessary,\nuse git features such as signed tags instead of relying solely on\ngit-crypt for integrity.\n\nFiles encrypted with git-crypt cannot be patched with git-apply, unless\nthe patch itself is encrypted.  To generate an encrypted patch, use `git\ndiff --no-textconv --binary`.  Alternatively, you can apply a plaintext\npatch outside of git using the patch command.\n\ngit-crypt does not work reliably with some third-party git GUIs, such\nas Atlassian SourceTree \u003chttps://jira.atlassian.com/browse/SRCTREE-2511\u003e\nand GitHub for Mac.  Files might be left in an unencrypted state.\n\n\nGITATTRIBUTES FILE\n\nThe .gitattributes file is documented in the gitattributes(5) man page.\nThe file pattern format is the same as the one used by .gitignore,\nas documented in the gitignore(5) man page, with the exception that\nspecifying merely a directory (e.g. `/dir/`) is NOT sufficient to\nencrypt all files beneath it.\n\nAlso note that the pattern `dir/*` does not match files under\nsub-directories of dir/.  To encrypt an entire sub-tree dir/, use `dir/**`:\n\n\tdir/** filter=git-crypt diff=git-crypt\n\nThe .gitattributes file must not be encrypted, so make sure wildcards don't\nmatch it accidentally.  If necessary, you can exclude .gitattributes from\nencryption like this:\n\n\t.gitattributes !filter !diff\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAGWA%2Fgit-crypt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FAGWA%2Fgit-crypt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAGWA%2Fgit-crypt/lists"}