From 9ae52a7a89f7d8d9b94c37a3f97df049897aa873 Mon Sep 17 00:00:00 2001
From: je
This example repository uses OpenSSL and symmetric-key encryption, but public -key encryption, using GPG, should also work as stated here.
- -1) If one does not know the password to the encrypted files, the workflow is the same as always: work on the unencrypted files and commit the changes, etc.
-2) This is not always the case, though. If you are one of the lucky ones and -know the password and the cipher, and want to take part of the encrypted content -(here ending with the file extension ".enc"), the following commands will do -the job:
+2) This is not always the case, though. If you are one of the lucky ones +and know the password and the cipher, and want to take part of the encrypted +content (here ending with the file extension ".senc" (symmetric-key +encrypted)), the following commands will do the job:
git clone git://example.com/repository.git
cd repository
-git config filter.crypt.clean "openssl CIPHER -a -nosalt -pass pass:PASSWORD"
-git config filter.crypt.smudge "openssl CIPHER -a -nosalt -d -pass pass:PASSWORD"
-git config diff.crypt.command PATH_TO_crypt_diff
-echo '*.enc filter=crypt diff=crypt' >> .git/info/attributes
+git config filter.crypt_sym.clean "openssl CIPHER -a -nosalt -pass pass:PASSWORD"
+git config filter.crypt_sym.smudge "openssl CIPHER -a -nosalt -d -pass pass:PASSWORD"
+git config diff.crypt_sym.command PATH_TO_crypt_diff
+echo '*.senc filter=crypt_sym diff=crypt_sym' >> .git/info/attributes
Then finally checkout the files that you want to decrypt:
-git checkout -- FILE.enc FILE2.enc
+git checkout -- FILE.senc FILE2.senc
and work on them as usual.
Notice that you must replace CIPHER with the actual cipher that is used, in
-this repository "example.enc" is encrypted using aes-256-cbc. The same is with
+this repository "example.senc" is encrypted using aes-256-cbc. The same is with
the PASSWORD, where it is "writecode" in this case. Also PATH_TO_crypt_diff
must be replaced with the path to the shell script crypt_diff, that is located
in this repository, in order to be able to view plaintext diffs between the
encrypted blob files and the plaintext worktree files.
3) To encrypt new files, all you have to do is to create them with the correct
-file extension (if not a sole wildcard is used instead of "*.enc" in
+file extension (if not a sole wildcard is used instead of "*.senc" in
.git/info/attributes) and later run git add
. The same procedure is also used
when initializing a new repository, except that git init
should be run before
the git add
and that the two first steps are also skipped (git clone
and
cd
) in the process above.
+Working with GnuPG public-key encrypted files in a repository
+
+1) Same as in the previous subsection.
+
+2) Same as in the previous subsection, except that the lucky one, in this
+case, is having the private key corresponding to the public key NAME (remember to
+change it below). (Notice that the "-r" option can be given multiple times,
+which leads to broadcast encryption.) Changes made, in the above instructions,
+are presented below.
+
+git config filter.crypt_pub.clean "gpg -ea -q --batch --no-tty -r NAME"
+git config filter.crypt_pub.smudge "gpg -d -q --batch --no-tty"
+git config diff.crypt_pub.command PATH_TO_crypt_diff
+echo '*.penc filter=crypt_pub diff=crypt_pub' >> .git/info/attributes
+
+
+It is recommended to use a specific key pair only for this very repository and
+to make sure that it is passwordless as the process is supposed to be
+automatic.
+
+3) Same as in the previous subsection, except that the file extension for
+the encrypted files, in this example, is ".penc" (public-key encrypted) instead
+of ".senc".
+
+CAVEAT: Two GnuPG public-key encrypted versions of the same file are
+different (because of the randomly-generated session keys), which leads to the
+fact that Git will track these sort of "unreal changes" that usually occur when
+one reverts a change. This is not the case with OpenSSL symmetric-key
+encryption when salt is disabled.
+
See also
-
+gpg(1), openssl(1), gitattributes(5)
-The README is from commit cc7ecf80efd236301219e5cb4d3b68322ccf7ffb.
+
The README is from commit 96b05a8f09b64cde71d33fcea09b3c620383bec0.
For the latest version, check the Git repository.
In order to contact Je, add your message to the file CONTACT in the
Git repository on the mob branch which is