yadm-encrypt

Encrypt files listed in the designated encrypt file

$ yadm encrypt

$ touch [path/to/encrypt_file] && mkdir [path/to/archive_folder]

yadm encrypt [options] [-- files...]
yadm encrypt --status
yadm encrypt --rekey

--status
    Displays the encryption status of tracked files, indicating which files are encrypted and which are not.

--rekey
    Re-encrypts all files currently marked for encryption using the current encryption key or configuration. This is useful after key rotation or changes to encryption settings.

...
    Specifies one or more files or directories to mark for encryption. If no files are specified, yadm encrypt operates on the configured encryption manifest (e.g., .yadm/encrypt).

--remove
    Decrypts and removes the encryption designation for the specified files. The files will no longer be stored encrypted in the repository.

--gpg-recipient
    Specifies the GPG recipient ID to use when gpg is configured as the encryption backend. This ensures files are encrypted for the specified key.

--gpg-homedir
    Specifies an alternative GPG home directory for the encryption process, overriding the default.

--git-crypt-path
    Specifies the path to the git-crypt executable if it's not found in the system's PATH.

yadm encrypt is a crucial subcommand of the yadm (Yet Another Dotfiles Manager) tool, designed to secure sensitive information within your dotfiles repository. It allows you to designate specific files or directories to be encrypted, ensuring that their content is stored in an encrypted format within your Git repository and decrypted only upon checkout or access on a trusted machine.

This feature is paramount for managing configuration files that might contain API keys, passwords, or other confidential data without exposing them in plain text, especially when your dotfiles repository is public or shared. yadm encrypt typically leverages external tools like git-crypt or GnuPG (GPG) for the actual encryption and decryption process, integrating seamlessly into the yadm workflow. Users must configure the encryption backend and associated keys before effectively utilizing this command.

Using yadm encrypt requires an external encryption tool (e.g., git-crypt or gpg) to be installed and properly configured within yadm via yadm config local.encryption.program.

Sensitive content should be encrypted before being added to the Git repository. If content is accidentally added unencrypted, it will remain in Git history unless history rewriting is performed.

Key and passphrase management for the chosen encryption backend is outside yadm's scope and must be handled securely by the user.

Before using yadm encrypt, you must configure the encryption program by setting local.encryption.program (e.g., to 'git-crypt' or 'gpg') using yadm config. Additional arguments for the chosen program can be set via local.encryption.args, and the encryption manifest file path can be configured with local.encrypt.file.

yadm encrypt typically uses a manifest file (by default .yadm/encrypt) to track which files or patterns are designated for encryption. This file behaves similarly to .gitignore but specifies files to be encrypted rather than ignored. You add patterns or file paths to this manifest to control what yadm encrypts.

The encryption feature within yadm was introduced to address the critical need for securely managing sensitive data within dotfiles. Instead of reinventing cryptographic wheels, yadm was designed to integrate with robust, established encryption solutions like git-crypt and GnuPG. This approach allows yadm to focus on its core strength of dotfile management while providing a flexible and powerful mechanism for data protection, making it suitable for publicly shared dotfiles repositories.

yadm(1), git-crypt(1), gpg(1), git-add(1), git-status(1)