{"id":13623108,"url":"https://github.com/uw-labs/strongbox","last_synced_at":"2025-05-15T14:12:46.052Z","repository":{"id":44572494,"uuid":"89364740","full_name":"uw-labs/strongbox","owner":"uw-labs","description":"Encryption for Git users","archived":false,"fork":false,"pushed_at":"2025-03-13T01:43:33.000Z","size":1551,"stargazers_count":103,"open_issues_count":0,"forks_count":12,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-04-15T10:43:11.762Z","etag":null,"topics":["encryption","git","uw-owner-system"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/uw-labs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2017-04-25T13:37:35.000Z","updated_at":"2025-03-20T21:11:13.000Z","dependencies_parsed_at":"2023-09-23T17:03:23.483Z","dependency_job_id":"c82267fd-a575-49ae-b886-47b73c130412","html_url":"https://github.com/uw-labs/strongbox","commit_stats":null,"previous_names":[],"tags_count":27,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uw-labs%2Fstrongbox","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uw-labs%2Fstrongbox/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uw-labs%2Fstrongbox/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uw-labs%2Fstrongbox/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/uw-labs","download_url":"https://codeload.github.com/uw-labs/strongbox/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254355397,"owners_count":22057356,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["encryption","git","uw-owner-system"],"created_at":"2024-08-01T21:01:28.164Z","updated_at":"2025-05-15T14:12:46.018Z","avatar_url":"https://github.com/uw-labs.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"![Strongbox](strongbox-logo.png)\n\nEncryption for Git users.\n\nStrongbox makes it easy to encrypt and decrypt files stored in Git, with\nminimal divergence from a typical Git workflow. Once installed, Strongbox\nenables normal use of commands such as `git diff` etc. and all of the files\nthat should be encrypted in the repository remain decrypted on your working\ncopy.\n\nIt supports use of different keys per directory if wanted. It can cover as many\nor as few files as you wish based on\n[.gitattributes](https://www.git-scm.com/docs/gitattributes)\n\n## Installation\n\nYou can obtain a binary from https://github.com/uw-labs/strongbox/releases\n\nAlternatively, assuming you have a working [Go](https://golang.org) installation, you can\ninstall via the following command:\n\n```console\n$ go install github.com/uw-labs/strongbox/v2@v2.0.0\n```\n\n### Homebrew\n\nIf you're on macOS or Linux and have [Homebrew](https://brew.sh/) installed,\ngetting Strongbox is as simple as running:\n\n```console\n$ brew install uw-labs/tap/strongbox\n```\n\n## Usage\n\nStrongbox supports [age](https://github.com/FiloSottile/age) and\n[siv](https://pkg.go.dev/github.com/jacobsa/crypto/siv?utm_source=godoc)\nencryption. Age is the recommended option.\n\n| encryption | identity / keyring file | recipient / key file |\n| ---------- | ----------------------- | -------------------- |\n| age        | .strongbox_identity     | .strongbox_recipient |\n| siv        | .strongbox_keyring      | .strongbox-keyid     |\n\nIf both identity / key files are present in the same directory,\n`.strongbox_identity` (age) will be preferred.\n\n1. As a one time action, install the plugin by running `strongbox -git-config`.\n   This will edit global Git config to enable Strongbox filter and diff\n   configuration.\n\n2. In each repository you want to use Strongbox, create `.gitattributes` file\n   containing the patterns to be managed by Strongbox.\n\n   For example:\n\n   ```\n   secrets/* filter=strongbox diff=strongbox merge=strongbox\n   ```\n\n3. Generate a key to use for the encryption, for example:\n   ```console\n   strongbox -gen-identity my-key\n   ```\n   This will generate a new [age](https://github.com/FiloSottile/age) keypair\n   and place it in `~/.strongbox_identity`. You can specify alternative\n   location using `-identity-file` flag or setting `$HOME` envvar.\n\n4. Include `.strongbox_recipient` file in your repository\n   (https://github.com/FiloSottile/age?tab=readme-ov-file#recipient-files).\n   This can be in the same directory as the protected resource(s) or any parent\n   directory. When searching for `.strongbox_recipient` for a given resource,\n   Strongbox will recurse up the directory structure until it finds the file.\n   This allows using different keys for different subdirectories within a\n   repository.\n\n5. If Strongbox identity file is stored in different location `-identity-file`\n   can be used. ie `strongbox [-identity-file \u003cidentity_file_path\u003e]\n   -gen-identity key-name`\n\n## Existing project\n\nStrongbox uses [clean and smudge\nfilters](https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#filters_a)\nto encrypt and decrypt files.\n\nIf you are cloning a project that uses Strongbox, you will need to have\nidentity in your Strongbox identity file prior to cloning (checkout). Otherwise\nthat filter will fail and not decrypt files on checkout.\n\nIf you already have the project locally and added identity, you can remove and\ncheckout the files to force the filter:\n```\nrm \u003cfiles\u003e \u0026\u0026 git checkout -- \u003cfiles\u003e\n```\n\n## Verification\n\nFollowing a `git add`, you can verify the file is encrypted in the index:\n\n```console\n$ git show :/path/to/file\n```\n\nVerify a file is encrypted in the commit:\n\n```console\n$ git show HEAD:/path/to/file\n```\n\nWhat you should see is a Strongbox encrypted resource, and this is what would\nbe pushed to the remote.\n\nCompare an entire branch (as it would appear on the remote) to master:\n\n```console\n$ git diff-index -p master\n```\n\n## Key rotation\n\nTo rotate keys, update the `.strongbox_recipient` with the new value, then\n`touch` all files/directories covered by `.gitattributes`. All affected files\nshould now show up as \"modified\".\n\n## Security\n\nStrongbox uses [age](https://github.com/FiloSottile/age) and SIV-AES as defined\nin rfc5297.\n\n## Testing\n\nRun integration tests:\n\n```console\n$ make test\n```\n\n## SIV manual decryption\nFollowing commands can be used to decrypt files outside of the Git flow:\n\n```console\n# decrypt using default keyring file `$HOME/.strongbox_keyring`\nstrongbox -decrypt -recursive \u003cpath\u003e\n\n# decrypt using `keyring_file_path`\nstrongbox -keyring \u003ckeyring_file_path\u003e -decrypt -recursive \u003cpath\u003e\n\n# decrypt using private key `\u003ckey\u003e`\nstrongbox -key \u003ckey\u003e -decrypt -recursive \u003cpath\u003e\n\n# decrypt single file with given key\nstrongbox -decrypt -key \u003ckey\u003e\n```\n\n## Known issues\n\n### Clone file ordering (SIV only)\n\nGiven a `.strongbox-keyid` in the root of the repository and an encrypted file\nin the same directory,*and* alphabetically it comes before the key-id file.\n\nGit checks out files alphanumerically, so if the strongboxed file is being\nchecked out before the `.strongbox-keyid` is present on disk, strongbox will\nfail to find the decryption key.\n\nOrder of files being cloned is dictated by the index.\n\n#### Workarounds\n\n1. Clone repository, let the descryption fail. Delete encrypted files and do\n   `git checkout` on the deleted files.\n2. Move affected files down to a subdirectory from `.strongbox-keyid` file\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fuw-labs%2Fstrongbox","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fuw-labs%2Fstrongbox","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fuw-labs%2Fstrongbox/lists"}