Transparently encrypt files within a git repository.


Initialize an unconfigured repository

$ transcrypt

List the currently encrypted files

$ git ls-crypt

Display the credentials of a configured repository

$ transcrypt --display

Initialize and decrypt a fresh clone of a configured repository

$ transcrypt --cipher=[cipher]

Rekey to change the encryption cipher or password

$ transcrypt --rekey


transcrypt [options...]


transcrypt will configure a Git repository to support the transparent encryption/decryption of files by utilizing OpenSSL's symmetric cipher routines and Git's built-in clean/smudge filters. It will also add a Git alias "ls-crypt" to list all transparently encrypted files within the repository.

The transcrypt source code and full documentation may be downloaded from


-c, --cipher=cipher

the symmetric cipher to utilize for encryption; defaults to aes-256-cbc

-p, --password=password

the password to derive the key from; defaults to 30 random base64 characters

-y, --yes

assume yes and accept defaults for non-specified options

-d, --display

display the current repository's cipher and password

-r, --rekey

re-encrypt all encrypted files using new credentials

-f, --flush-credentials

remove the locally cached encryption credentials and re-encrypt any files that had been previously decrypted

-F, --force

ignore whether the git directory is clean, proceed with the possibility that uncommitted changes are overwritten

-u, --uninstall

remove all transcrypt configuration from the repository and leave files in the current working copy decrypted

-l, --list

list all of the transparently encrypted files in the repository, relative to the top-level directory

-s, --show-raw=file

show the raw file as stored in the git commit object; use this to check if files are encrypted as expected

-e, --export-gpg=recipient

export the repository's cipher and password to a file encrypted for a gpg recipient

-i, --import-gpg=file

import the password and cipher from a gpg encrypted file

-v, --version

print the version information

-h, --help

view this help message


To initialize a Git repository to support transparent encryption, just change into the repo and run the transcrypt script. transcrypt will prompt you interactively for all required information if the corresponding option flags were not given.

$ cd <path-to-your-repo>/
$ transcrypt

Once a repository has been configured with transcrypt, you can transparently encrypt files by applying the "crypt" filter and diff to a pattern in the top-level .gitattributes config. If that pattern matches a file in your repository, the file will be transparently encrypted once you stage and commit it:

$ echo 'sensitive_file  filter=crypt diff=crypt' >> .gitattributes
$ git add .gitattributes sensitive_file
$ git commit -m 'Add encrypted version of a sensitive file'

See the gitattributes(5) man page for more information.

If you have just cloned a repository containing files that are encrypted, you'll want to configure transcrypt with the same cipher and password as the origin repository. Once transcrypt has stored the matching credentials, it will force a checkout of any existing encrypted files in order to decrypt them.

If the origin repository has just rekeyed, all clones should flush their transcrypt credentials, fetch and merge the new encrypted files via Git, and then re-configure transcrypt with the new credentials.


enc(1), gitattributes(5)


Aaron Bull Schaefer <>

Copied to clipboard