Audience

  • Fluent with Linux CLI in general.
  • Fluent with git, not just as a user, but as a repo admin.
  • Familiar with the problem of secrets management in source control.
  • Familiar with git-crypt. Ideally, you have even already been bitten by its hard-to-use CLI.
  • Familiar with gpg.

Problem statement and context

Let’s assume you have :

  • A git repo
  • A small number of users contributing to this repo (let’s say no more than 5. Possibly even just yourself.)
    • That’s important, because keys need to be rotated every time you need to revoke access. We assume here that it’s a low enough frequency that it’s okay if that’s a pain.
  • Some long-lived secrets required with every clone, to be able to do whatever the git repo is for. This can for example be :
    • long-lived API keys, shared between the multiple users of the repo (if applicable)
    • configuration information, that you want to keep private while leaving the general repo public. A typical example would be for dotfiles repos.
  • Whatever those secrets are, you’re okay with them being stored in plaintext once a given repo instance has been set up.
  • You have some kind of shared secret store, that you can use to share a single key for the repo. Typically, a password manager.

In this kind of context, git-crypt is a pretty solid candidate.

Alternatives that may be worth considering in such a situation, but won’t be detailed any further in this post :

  • Not committing the secret at all, and requiring the user to inject it in some other way (environment variables, gitignored file, etc)
  • Deciding that your “secret” data isn’t secret after all, and just commit it directly
  • Putting the secret data into some other kind of referential (a separate git repo, an external secret store, a password manager, etc)
    • Note that all of those mean that you have to either lose or maintain manually versionning of secret changes. This may or may not be very hard, and may or may not be okay.
  • ansible-vault and other similar tools that commit data encrypted

I’m going to assume that you’ve decided that git-crypt is a nice fit for your use, and that you don’t want to use multiple keys on this repo, one is enough.

“Classic” git-crypt management with gpg

The “classic” way to manage the git-crypt repo key, is to rely on gpg :

  • The initial repo setup generates a symmetric repo key, which is used to encrypt/decrypt committed files
  • This repo key is stored in plaintext in .git/git-crypt/keys/default, for on-the-fly encryption/decryption of files at every commit/checkout
  • For each user that needs access, the repo key is also stored in .git-crypt/keys/default/, encrypted with the public gpg key of each user.
  • Whenever someone clones the repo, they need to “unlock” git-crypt, ie use their private gpg key to retrieve the repo key, and store it in .git/git-crypt/keys/default

That’s all nice and good if you’re in a context where people already rely on gpg. If not, each user has to :

  • Familiarize themselves with how gpg works (which is far from obvious when getting started)
  • Generate a keypair for themselves
  • Transmit the public key to someone who already has access to the repo key
  • Ask them to import your key on their machine, and commit the repokey encrypted with your public key, and push
  • Clone the repo including this change
  • Decrypt the repo key using their private gpg key

Even though git-crypt helps with many of those steps, even with a solid step-by-step documentation, this is a lot of hoops to go through. Especially considering that most users will only do this once, then forget about it, and are unlikely to be able to use their key material to recover access in the event of a machine change, etc (because that requires properly backing up their gpg key, etc)

We assumed that you had some kind of password manager (or other secret store) already available, with proper access control, and with which the users are already familiar, so let’s store the git-crypt key there instead.

gpg-less setup, with the repo key in your password manager

Below are instructions for each of the workflows required for this setup.

Everyday git use

Once set up, git-crypt is completely transparent (just like with gpg), so, aside from the occasional .gitattributes change (to change which files are to be encrypted), just use git normally.

Still, some noteworthy commands :

  • git crypt status : Shows which files are currently encrypted and/or supposed to be encrypted

Initial repo setup

  • git crypt init : generates a repo key, and stores it in .git/git-crypt/keys/default
  • cat .git/git-crypt/keys/default | base64 --wrap=0 : outputs the (base64-encoded) repo key
  • Save the repo key in your password manager
  • You’re good to go, you can now add stuff in your .gitattributes, commit encrypted files, etc

Unlocking git-crypt on a fresh clone

  • Clone the repository, cd into it
  • git crypt unlock <( echo "REPO_KEY_FROM_PASSWORD_MANAGER" | base64 --decode)
    • Note the initial whitespace in this command. It’s there on purpose, so that this command won’t be persisted in your shell history
  • You should be good, you can run git crypt status or cat path/to/encrypted/file to ensure that your local repo is in the expected state

Rotating the repo key

Rotating the repo key is the only way to revoke access to encrypted secrets.

It’s however a massive pain, so, if you’re considering using git-crypt, really make sure that you don’t need to do this too often.

Here goes the black magic :

  • Commit and merge any work in progress. Ideally, you should reach a point where there’s only a single main branch, across everyone’s copies of the repo
    • git-crypt doesn’t like you jumping around branches with files encrypted with different keys. Like, really not.
  • Make sure every instance of the repo (meaning, everyone) is on main, don’t have any other local branches, and are aware that they musn’t commit any change to the repo until you’re done with key rotation.
    • You have been warned
  • Make a local copy of the repo for backup purposes
  • Make sure every other instance of the repo is locked with git crypt lock
  • Ensure your local repository is unlocked (git crypt unlock), on main, and clean (git status)
  • rm .git/git-crypt/keys/default (delete the old repo key)
  • git crypt init (Generate a new repo key)
  • cat .git/git-crypt/keys/default | base64 --wrap=0 : outputs the (base64-encoded) repo key
    • Save the new repo key in your password manager
  • Delete all encrypted files from the git index, but not from the working directory
    • If none of your encrypted files path contain spaces, you can run git rm --cached $(git crypt status -e | colrm 1 14)
    • Otherwise, do it manually with git crypt status -e and git rm --cached
  • (optional) : If your repo was previously used with gpg, run rm -r .git-crypt to delete the encrypted versions of the old repo key
  • git add .
  • git status should now indicate changes on every encrypted file, but git diff should not see any difference.
  • git commit
  • git -c commit.verbose=false commit
    • NB : the -c commit.verbose=false is only required if you have configured this option yourself somewhere else (I have)
  • git push (You may want to make a merge request or something at this step)
  • Make that eveyone runs on every instance of the repo :
    • git crypt lock
    • git pull
    • unlock the repo with the procedure above
  • everything should be back to normal, now
  • (optional) : You should probably rotate the secrets in the repo, now. You have rotated the key with which they are encrypted in your repo, but people who previously had access to them may still have a copy of them. (Also, they’re still in the git history, encrypted with the former key)

Notes and references

  • This issue, and this script were the main inspirations
  • Instead of directly reading the key file with cat, we could use git crypt export-key -. However, it doesn’t work with git-crypt 0.6.0, which is the default version in Fedora 40 (as of 2024-06-11). Version 0.7.0 fixes this issue.