README.html

   1 <h1>Automated encryption and decryption in Git repositories</h1>
   2
   3 <p>It is possible to use automated encryption and decryption in Git repositories
   4 because of the filter drivers that consist of a clean command and a smudge
   5 command. Where the clean "command is used to convert the contents of worktree
   6 file[s] upon checkin" in a similar way to how the smudge "command is fed the
   7 blob object from its standard input, and its standard output is used to update
   8 the worktree file." (The quotes are from gitattributes(5).)</p>
   9
  10 <p>This example repository uses OpenSSL and symmetric-key encryption, but public
  11 key encryption, using GPG, should also work as stated <a href="http://stackoverflow.com/questions/1557183/is-it-possible-to-include-a-file-in-your-gitconfig/1558141#1558141">here</a>.</p>
  12
  13 <h2>Working with encrypted files in a repository</h2>
  14
  15 <p><strong>1)</strong> If one does not know the password to the encrypted files, the workflow is
  16 the same as always: work on the unencrypted files and commit the changes, etc.</p>
  17
  18 <p><strong>2)</strong> This is not always the case, though. If you are one of the lucky ones and
  19 know the password and the cipher, and want to take part of the encrypted content
  20 (here ending with the file extension ".enc"), the following commands will do
  21 the job:</p>
  22
  23 <pre><code>git clone git://example.com/repository.git
  24 cd repository
  25 git config filter.crypt.clean "openssl CIPHER -a -nosalt -pass pass:PASSWORD"
  26 git config filter.crypt.smudge "openssl CIPHER -a -nosalt -d -pass pass:PASSWORD"
  27 git config diff.crypt.command PATH_TO_crypt_diff
  28 echo '*.enc filter=crypt diff=crypt' &gt;&gt; .git/info/attributes
  29 </code></pre>
  30
  31 <p>Then finally checkout the files that you want to decrypt:</p>
  32
  33 <pre><code>git checkout -- FILE.enc FILE2.enc
  34 </code></pre>
  35
  36 <p>and work on them as usual.</p>
  37
  38 <p><strong>Notice</strong> that you must replace CIPHER with the actual cipher that is used, in
  39 this repository "example.enc" is encrypted using aes-256-cbc. The same is with
  40 the PASSWORD, where it is "writecode" in this case. Also PATH_TO_crypt_diff
  41 must be replaced with the path to the shell script crypt_diff, that is located
  42 in this repository, in order to be able to view plaintext diffs between the
  43 encrypted blob files and the plaintext worktree files.</p>
  44
  45 <p><strong>3)</strong> To encrypt new files, all you have to do is to create them with the correct
  46 file extension (if not a sole wildcard is used instead of "*.enc" in
  47 .git/info/attributes) and later run <code>git add</code>. The same procedure is also used
  48 when initializing a new repository, except that <code>git init</code> should be run before
  49 the <code>git add</code> and that the two first steps are also skipped (<code>git clone</code> and
  50 <code>cd</code>) in the process above.</p>
  51
  52 <h2>See also</h2>
  53
  54 <p><a href="http://www.kernel.org/pub/software/scm/git/docs/gitattributes.html">gitattributes(5)</a>, <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=openssl&amp;apropos=0&amp;sektion=1&amp;manpath=OpenBSD+Current&amp;arch=i386&amp;format=html">openssl(1)</a></p>
  55
  56 <p><b><i>The README is from commit cc7ecf80efd236301219e5cb4d3b68322ccf7ffb.
  57 For the latest version, check the Git repository.</i></b></p>