Home » Git » File encryption in Git Repository

File encryption in Git Repository

Posted by: admin November 15, 2021 Leave a comment

Questions:

Is there any way (in built or add-on) to encrypt individual files in a repository, accessible by limited people. Files when checked in by those folks will auto encrypt and decrypt when checked out. They will stay encrypted if tried to be accessed by other people.

Answers:

I know my answer is late but there is plenty of alternatives for storing secrets in git repos:

  1. Git-crypt
  2. BlackBox
  3. SOPS
  4. Transcrypt

Most of them use GNU Privacy Guard (GPG), symmetric key encryption, and/or cloud key services (SOPS). If you just want a simple encryption mechanism with password you can also take a look at ansible vault, which doesn’t require generating keys for each account.

###

Maybe Blackbox helps?

From their website (https://github.com/StackExchange/blackbox):

Safely store secrets in a VCS repo (i.e. Git, Mercurial, Subversion or
Perforce). These commands make it easy for you to Gnu Privacy Guard
(GPG) encrypt specific files in a repo so they are "encrypted at rest"
in your repository. However, the scripts make it easy to decrypt them
when you need to view or edit them, and decrypt them for use in
production. Originally written for Puppet, BlackBox now works with any
Git or Mercurial repository.

Rather than one GPG passphrase for all the files, each person with
access has their own GPG keys in the system. Any file can be decrypted
by anyone with their GPG key. This way, if one person leaves the
company, you don’t have to communicate a new password to everyone with
access. Simply disable the one key that should no longer have access.
The process for doing this is as easy as running 2 commands (1 to
disable their key, 1 to re-encrypt all files.)