git-secret

git secret command [options]

git secret encrypts sensitive files for safe storage in Git repositories. Files are encrypted with GPG for specified recipients, allowing secrets to be version-controlled safely.The tool manages encryption, decryption, and recipient lists. Encrypted files (`.secret`) are tracked by Git while the original plaintext files are automatically added to `.gitignore`.

init

Initialize git-secret in repo.

Add a GPG key holder who can decrypt secrets. Use -m to use git config user.email.

Add a file to be encrypted. The plaintext file is automatically added to .gitignore.

Encrypt all added secret files. Use -m to delete plaintext after encrypting.

Decrypt all secret files. Use -p PASSWORD for non-interactive passphrase input.

Remove a file from the secret list.

List all secret files.

List users who have access to secrets.

Show diff between plaintext and decrypted version of a file.

Decrypt and print a single secret file to stdout.

Remove a person from the secret access list.

Display help information.

.gitsecret/

Directory storing git-secret configuration, key rings, and file mappings.

SECRETS_VERBOSE

Sets verbose flag to show additional output for all commands.

Sets an alternative to gpg (default: gpg).

Enables gpg --armor mode for ASCII-armored output.

Requires GPG. Recipients need GPG keys. This is a separate tool from gh secret (GitHub CLI secrets).

git secret was created to solve the problem of storing secrets in git repositories, using GPG encryption to protect sensitive configuration.

gpg(1), gh-secret(1), git(1)