Disclaimer
This note has been created following this post. Consider this more as a quick how-to guide to get things going when you need to set up encrypted secrets in a shared (public or private) git repository.
Install git-crypt
On MacOS with brew you can do:
brew install git-crypt
On Linux use you distro package manager.
Initialize a repo
Once the git repository is ongoing (git init on a directory), inside that directory you need to run:
git-crypt init
Now you can create a secrets/ directory and then in the root of the project create a file .gitattributes with:
secrets/** filter=git-crypt diff=git-crypt
Test encryption
Add a dummy file like:
echo "Hola mundo" > secrets/test.txt
You can run git-crypt status to check what is supposed to be encrypted and what not.
Commit the dummy file and check that is encrypted on remote.
Lock / Unlock
First time you pull the repository you will have the files locked so you will have to run git-crypt unlock and assuming your gpg key was added to the trusted keys, you will get the files unlocked.
If at some point you want to have the files again encrypted locally you can run git-crypt lock.
Allow users to read the secrets
In order to share the secrets with other users you need to add their gpg key as trusted in the repository.
- Add their keys in your keyring
Get their public gpg key somehow and then import that into gpg
gpg --import /path/to/public-key.asc
- Add their key as trusted in the repository
git-crypt add-gpg-user --trusted KEY_ID