Transparently encrypt files within a git repository.
Initialize an unconfigured repository
List the currently encrypted files
Display the credentials of a configured repository
Initialize and decrypt a fresh clone of a configured repository
Rekey to change the encryption cipher or password
transcrypt will configure a Git repository to support the transparent encryption/decryption of files by utilizing OpenSSL's symmetric cipher routines and Git's built-in clean/smudge filters. It will also add a Git alias "ls-crypt" to list all transparently encrypted files within the repository.
The transcrypt source code and full documentation may be downloaded from https://github.com/elasticdog/transcrypt.
- -c, --cipher=cipher
the symmetric cipher to utilize for encryption; defaults to aes-256-cbc
- -p, --password=password
the password to derive the key from; defaults to 30 random base64 characters
- -y, --yes
assume yes and accept defaults for non-specified options
- -d, --display
display the current repository's cipher and password
- -r, --rekey
re-encrypt all encrypted files using new credentials
- -f, --flush-credentials
remove the locally cached encryption credentials and re-encrypt any files that had been previously decrypted
- -F, --force
ignore whether the git directory is clean, proceed with the possibility that uncommitted changes are overwritten
- -u, --uninstall
remove all transcrypt configuration from the repository and leave files in the current working copy decrypted
- -l, --list
list all of the transparently encrypted files in the repository, relative to the top-level directory
- -s, --show-raw=file
show the raw file as stored in the git commit object; use this to check if files are encrypted as expected
- -e, --export-gpg=recipient
export the repository's cipher and password to a file encrypted for a gpg recipient
- -i, --import-gpg=file
import the password and cipher from a gpg encrypted file
- -v, --version
print the version information
- -h, --help
view this help message
To initialize a Git repository to support transparent encryption, just change into the repo and run the transcrypt script. transcrypt will prompt you interactively for all required information if the corresponding option flags were not given.
$ cd <path-to-your-repo>/ $ transcrypt
Once a repository has been configured with transcrypt, you can transparently encrypt files by applying the "crypt" filter and diff to a pattern in the top-level .gitattributes config. If that pattern matches a file in your repository, the file will be transparently encrypted once you stage and commit it:
$ echo 'sensitive_file filter=crypt diff=crypt' >> .gitattributes $ git add .gitattributes sensitive_file $ git commit -m 'Add encrypted version of a sensitive file'
See the gitattributes(5) man page for more information.
If you have just cloned a repository containing files that are encrypted, you'll want to configure transcrypt with the same cipher and password as the origin repository. Once transcrypt has stored the matching credentials, it will force a checkout of any existing encrypted files in order to decrypt them.
If the origin repository has just rekeyed, all clones should flush their transcrypt credentials, fetch and merge the new encrypted files via Git, and then re-configure transcrypt with the new credentials.
Aaron Bull Schaefer <firstname.lastname@example.org>