1GIT-CRYPT(1) git-crypt GIT-CRYPT(1)
2
3
4
6 git-crypt - transparent file encryption in Git
7
9 git-crypt [OPTIONS] COMMAND [ARGS...]
10
12 git-crypt init
13
14 git-crypt status
15
16 git-crypt lock
17
19 git-crypt add-gpg-user GPG_USER_ID
20
21 git-crypt unlock
22
24 git-crypt export-key OUTPUT_KEY_FILE
25
26 git-crypt unlock KEY_FILE
27
29 git-crypt enables transparent encryption and decryption of files in a
30 git repository. Files which you choose to protect are encrypted when
31 committed, and decrypted when checked out. git-crypt lets you freely
32 share a repository containing a mix of public and private content.
33 git-crypt gracefully degrades, so developers without the secret key can
34 still clone and commit to a repository with encrypted files. This lets
35 you store your secret material (such as keys or passwords) in the same
36 repository as your code, without requiring you to lock down your entire
37 repository.
38
40 git-crypt is logically divided into several sub-commands which perform
41 distinct tasks. Each sub-command, and its arguments, are documented
42 below. Note that arguments and options to sub-commands must be
43 specified on the command line after the name of the sub-command.
44
45 init [OPTIONS]
46 Generate a key and prepare the current Git repository to use
47 git-crypt.
48
49 The following options are understood:
50
51 -k KEY_NAME, --key-name KEY_NAME
52 Initialize the given key instead of the default key. git-crypt
53 supports multiple keys per repository, allowing you to share
54 different files with different sets of collaborators.
55
56 status [OPTIONS]
57 Display a list of files in the repository, with their status
58 (encrypted or unencrypted).
59
60 The following options are understood:
61
62 -e
63 Show only encrypted files.
64
65 -u
66 Show only unencrypted files.
67
68 -f, --fix
69 Encrypt files that should be encrypted but were committed to
70 the repository or added to the index without encryption. (This
71 can happen if a file is added before git-crypt is initialized
72 or before the file is added to the gitattributes file.)
73
74 add-gpg-user [OPTIONS] GPG_USER_ID...
75 Add the users with the given GPG user IDs as collaborators.
76 Specifically, git-crypt uses gpg(1) to encrypt the shared symmetric
77 key to the public keys of each GPG user ID, and stores the
78 GPG-encrypted keys in the .git-crypt directory at the root of the
79 repository.
80
81 GPG_USER_ID can be a key ID, a full fingerprint, an email address,
82 or anything else that uniquely identifies a public key to GPG (see
83 "HOW TO SPECIFY A USER ID" in the gpg(1) man page).
84
85 The following options are understood:
86
87 -k KEY_NAME, --key-name KEY_NAME
88 Grant access to the given key, rather than the default key.
89
90 -n, --no-commit
91 Don't automatically commit the changes to the .git-crypt
92 directory.
93
94 --trusted
95 Assume that the GPG keys specified on the command line are
96 trusted; i.e. they actually belong to the users that they claim
97 to belong to.
98
99 Without this option, git-crypt uses the same trust model as
100 GPG, which is based on the Web of Trust by default. Under this
101 model, git-crypt will reject GPG keys that do not have trusted
102 signatures.
103
104 If you don't want to use the Web of Trust, you can either
105 change GPG's trust model by setting the trust-model option in
106 ~/.gnupg/gpg.conf (see gpg(1)), or use the --trusted option to
107 add-gpg-user on a case-by-case basis.
108
109 unlock [KEY_FILE...]
110 Decrypt the repository. If one or more key files are specified on
111 the command line, git-crypt attempts to decrypt using those shared
112 symmetric keys. If no key files are specified, git-crypt attempts
113 to decrypt using a GPG-encrypted key stored in the repository's
114 .git-crypt directory.
115
116 This command takes no options.
117
118 export-key [OPTIONS] FILENAME
119 Export the repository's shared symmetric key to the given file.
120
121 The following options are understood:
122
123 -k KEY_NAME, --key-name KEY_NAME
124 Export the given key, rather than the default key.
125
126 help [COMMAND]
127 Display help for the given COMMAND, or an overview of all commands
128 if no command is specified.
129
130 version
131 Print the currently-installed version of git-crypt. The format of
132 the output is always "git-crypt", followed by a space, followed by
133 the dotted version number.
134
136 First, you prepare a repository to use git-crypt by running git-crypt
137 init.
138
139 Then, you specify the files to encrypt by creating a gitattributes(5)
140 file. Each file which you want to encrypt should be assigned the
141 "filter=git-crypt diff=git-crypt" attributes. For example:
142
143 secretfile filter=git-crypt diff=git-crypt
144 *.key filter=git-crypt diff=git-crypt
145
146 Like a .gitignore file, .gitattributes files can match wildcards and
147 should be checked into the repository. Make sure you don't accidentally
148 encrypt the .gitattributes file itself (or other git files like
149 .gitignore or .gitmodules). Make sure your .gitattributes rules are in
150 place before you add sensitive files, or those files won't be
151 encrypted!
152
153 To share the repository with others (or with yourself) using GPG, run:
154
155 git-crypt add-gpg-user GPG_USER_ID
156
157 GPG_USER_ID can be a key ID, a full fingerprint, an email address, or
158 anything else that uniquely identifies a public key to GPG. Note:
159 git-crypt add-gpg-user will add and commit a GPG-encrypted key file in
160 the .git-crypt directory of the root of your repository.
161
162 Alternatively, you can export a symmetric secret key, which you must
163 securely convey to collaborators (GPG is not required, and no files are
164 added to your repository):
165
166 git-crypt export-key /path/to/key
167
168 After cloning a repository with encrypted files, unlock with with GPG:
169
170 git-crypt unlock
171
172 Or with a symmetric key:
173
174 git-crypt unlock /path/to/key
175
176 That's all you need to do - after git-crypt is set up (either with
177 git-crypt init or git-crypt unlock), you can use git normally -
178 encryption and decryption happen transparently.
179
181 The .gitattributes file is documented in gitattributes(5). The file
182 pattern format is the same as the one used by .gitignore, as documented
183 in gitignore(5), with the exception that specifying merely a directory
184 (e.g. "/dir/") is not sufficient to encrypt all files beneath it.
185
186 Also note that the pattern "dir/*" does not match files under
187 sub-directories of dir/. To encrypt an entire sub-tree dir/, place the
188 following in dir/.gitattributes:
189
190 * filter=git-crypt diff=git-crypt
191 .gitattributes !filter !diff
192
193 The second pattern is essential for ensuring that .gitattributes itself
194 is not encrypted.
195
197 In addition to the implicit default key, git-crypt supports alternative
198 keys which can be used to encrypt specific files and can be shared with
199 specific GPG users. This is useful if you want to grant different
200 collaborators access to different sets of files.
201
202 To generate an alternative key named KEYNAME, pass the -k KEYNAME
203 option to git-crypt init as follows:
204
205 git-crypt init -k KEYNAME
206
207 To encrypt a file with an alternative key, use the git-crypt-KEYNAME
208 filter in .gitattributes as follows:
209
210 secretfile filter=git-crypt-KEYNAME diff=git-crypt-KEYNAME
211
212 To export an alternative key or share it with a GPG user, pass the -k
213 KEYNAME option to git-crypt export-key or git-crypt add-gpg-user as
214 follows:
215
216 git-crypt export-key -k KEYNAME /path/to/keyfile
217 git-crypt add-gpg-user -k KEYNAME GPG_USER_ID
218
219 To unlock a repository with an alternative key, use git-crypt unlock
220 normally. git-crypt will automatically determine which key is being
221 used.
222
224 git(1), gitattributes(5), git-crypt home page[1], GitHub repository[2]
225
227 Andrew Ayer <agwa@andrewayer.name>
228
230 1. git-crypt home page
231 https://www.agwa.name/projects/git-crypt
232
233 2. GitHub repository
234 https://github.com/AGWA/git-crypt
235
236
237
238git-crypt 0.6.0 2017-11-26 GIT-CRYPT(1)