Why I Chose Git-Crypt for My Sensitive Files

Published: at 10:00 AM (3 min read) Suggest Changes

Table of Contents

Open Table of Contents

The Challenge

When managing projects with Git, I often deal with sensitive files:

The common solutions all had issues:

Why Git-Crypt Works for Me

Git-crypt solves these problems elegantly:

  1. Transparent Encryption

    • Files are automatically encrypted in commits
    • Decrypted when checked out
    • Work with files normally in your editor
    • No manual encryption steps

  2. Native Git Integration

    • Uses Git’s attribute system
    • Normal diff and merge operations
    • Complete history tracking
    • Standard Git workflow

  3. Selective Encryption

    • Encrypt specific files or patterns
    • Keep other files readable
    • Flexible configuration
    • Clear repository structure

Setting Up Git-Crypt

Here’s how I set it up for my projects:

  1. Installation

    # On Windows (with Scoop)
scoop install git-crypt

# On macOS
brew install git-crypt

# On Ubuntu
sudo apt-get install git-crypt

  2. Repository Setup

    # Initialize git-crypt in your repository
cd your-repo
git-crypt init

# Export the key (keep this safe!)
git-crypt export-key ~/git-crypt-key

# Create .gitattributes file
echo "*.secret filter=git-crypt diff=git-crypt" > .gitattributes
echo "secretdir/** filter=git-crypt diff=git-crypt" >> .gitattributes

  3. File Organization

    your-repo/
├── .gitattributes     # Git-crypt configuration
├── config/
│   ├── public.json    # Unencrypted
│   └── secrets.json   # Encrypted
└── secretdir/         # All files encrypted
   └── api-keys.txt

Best Practices I’ve Learned

  1. Key Management

    • Store the key file securely (not in the repo!)
    • Keep offline backups of the key
    • Use a password manager for key storage
    • Document key recovery procedures

  2. File Selection

    • Only encrypt what’s necessary
    • Keep filenames descriptive but not revealing
    • Use consistent patterns in .gitattributes
    • Regular review of encrypted files

  3. Team Workflow

    • Clear documentation for new team members
    • Secure key sharing process
    • Regular key rotation schedule
    • Emergency revocation plan

Practical Tips

Things I wish I knew earlier:

  1. Backup Strategy

    # Create a backup of your key
git-crypt export-key ~/backup/git-crypt-key-$(date +%Y%m%d)

# Unlock on a new machine
git-crypt unlock /path/to/key

  2. Verifying Encryption

    # Check if files are encrypted in the repo
git-crypt status

# Test encryption before pushing
git-crypt lock
cat config/secrets.json  # Should show encrypted content
git-crypt unlock

  3. Common Issues

– Always unlock before editing encrypted files – Commit .gitattributes before encrypted files – Don’t encrypt large binary files – Keep a copy of the key before testing

Limitations to Consider

Git-crypt isn’t perfect for every situation:

  1. Not Suitable For

    • Large binary files
    • Frequently changing keys
    • Hiding file names
    • Git metadata encryption

  2. Security Considerations

    • File names remain visible
    • Commit messages are unencrypted
    • Branch names are visible
    • File sizes are known

Real-World Example

Here’s how I use it in my blog project:

blog/
├── .gitattributes
├── content/           # Public content
├── config/
│   ├── public.json   # Theme settings
│   └── api.secret    # API keys (encrypted)
└── deploy/
    └── secrets/      # All deployment secrets

.gitattributes configuration:

*.secret filter=git-crypt diff=git-crypt
deploy/secrets/** filter=git-crypt diff=git-crypt

Useful Resources

Final Thoughts

Git-crypt has become an indispensable part of my workflow. It lets me keep everything in Git while maintaining security. While the initial setup requires some effort, the peace of mind and convenience it brings are worth it.

If you’re looking for a way to version control sensitive files, give git-crypt a try.

Previous Post
Why I Resisted the Temptation of Cheap Black Friday VPS Deals