Skip to content

digi-lab-io/git-crypt-guide

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

9 Commits
.gitignore
.gitignore
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 
git-secret-scan.md
git-secret-scan.md
Β 
Β 

Repository files navigation

title markmap
digi-lab.io | Git Crypt Guide v1.3.0
colorFreezeLevel initialExpandLevel maxWidth activeNode
2
2
300
placement
center

digi-lab.io | Git Crypt Guide v1.3.1

A comprehensive guide for implementing Git-Crypt with GPG encryption for secure repository management.

Table of Contents

πŸš€ Quick Start (For the Impatient)

πŸ“š Complete Guide

What is Git-Crypt?

Git-Crypt enables transparent encryption and decryption of files in a Git repository. It allows you to:

  • πŸ” Encrypt sensitive files automatically during commits
  • πŸ”“ Decrypt files transparently when authorized
  • πŸ‘₯ Share repositories with encrypted secrets
  • πŸ”‘ Manage access using GPG keys

Prerequisites

Before starting, ensure you have:

  • Git installed and configured
  • Basic understanding of Git workflows
  • Administrative access to install software
  • Team members' GPG public keys (for collaboration)

What is GPG?

GNU Privacy Guard (GPG) is a free implementation of the OpenPGP standard that allows you to encrypt and sign your data and communications. GPG is widely used for:

  • πŸ” File encryption and decryption
  • ✍️ Digital signatures for authenticity
  • πŸ”‘ Key management for secure communications
  • πŸ›‘οΈ Git commit signing for code integrity

Workflow Overview

flowchart TD
    A[πŸ“‹ Prerequisites Check] --> B{GPG Installed?}
    B -->|No| C[πŸ”§ Install GPG]
    B -->|Yes| D{GPG Key Exists?}
    C --> D
    D -->|No| E[πŸ”‘ Generate GPG Key]
    D -->|Yes| F[πŸ“€ Export Public Key]
    E --> G[βœ… Verify Key Creation]
    G --> F
    F --> H[πŸ“ Setup Git Repository]
    H --> I[πŸ”’ Install git-crypt]
    I --> J[βš™οΈ Initialize git-crypt]
    J --> K[πŸ‘€ Add GPG User]
    K --> L[πŸ“ Configure .gitattributes]
    L --> M[πŸ’Ύ Commit Configuration]
    M --> N[πŸ” Add Encrypted Files]
    N --> O[✨ Ready for Team Collaboration]
    
    style A fill:#e1f5fe
    style E fill:#fff3e0
    style J fill:#f3e5f5
    style O fill:#e8f5e8
Loading

Installation

Windows

Linux

# Debian/Ubuntu
sudo apt-get install gnupg

# RHEL/Fedora
sudo dnf install gnupg2

# Arch Linux
sudo pacman -S gnupg

macOS

# Homebrew
brew install gnupg

# MacPorts
sudo port install gnupg2

Creating GPG Keys

⚠️ Important: One-Time Setup
Creating a GPG key is a one-time configuration that establishes your cryptographic identity. Once created, you'll use this same key pair for all your encryption, signing, and authentication needs. Choose your settings carefully as changing them later requires generating a new key and redistributing your public key to all contacts and services.

πŸ€– Automated Key Generation (High Security)

The easiest and most secure way to create a GPG key for setups with secure passphrase handling:

gpg --batch --gen-key <<EOF
Key-Type: RSA
Key-Length: 8192
Subkey-Type: RSA
Subkey-Length: 8192
Name-Real: Your Name
Name-Email: [email protected]
Expire-Date: 2y
Key-Usage: sign
Subkey-Usage: encrypt
%ask-passphrase
%commit
EOF

Note: The %ask-passphrase directive will prompt you to enter a passphrase securely during key generation.

βœ… Verify Key Creation

After creating your key, verify it was generated successfully:

# List all keys
gpg --list-keys

# List secret keys
gpg --list-secret-keys

# Show key details
gpg --list-keys --keyid-format LONG [email protected]

Managing Existing Keys

πŸ“₯ Importing Keys

From WSL to Windows

If you have GPG keys on WSL and want to use them on Windows:

  1. Export from WSL:

    # Export public key
gpg --armor --export [email protected] > your-public-key.asc

# Export private key
gpg --armor --export-secret-keys [email protected] > your-private-key.asc

  2. Copy to Windows: Access WSL files at \\wsl$\<distro>\home\<username>\

  3. Import on Windows:

    # Import private key (includes public key)
gpg --import your-private-key.asc

# Verify import
gpg --list-keys
gpg --list-secret-keys

From Files

# Import public key
gpg --import public-key.asc

# Import private key
gpg --import private-key.asc

# Import from keyserver
gpg --keyserver hkps://keys.openpgp.org --recv-keys KEYID

Trust Imported Keys

After importing, you may need to set trust levels:

gpg --edit-key [email protected]
# In GPG prompt:
# gpg> trust
# Select trust level (5 for ultimate trust)
# gpg> quit

Key Operations

πŸ“€ Exporting Keys

Public Key Export

# ASCII armored format (recommended for sharing)
gpg --armor --export [email protected] > your-public-key.asc

# Binary format
gpg --export [email protected] > your-public-key.gpg

# To specific directory (e.g., for git-crypt)
gpg --armor --export [email protected] > .keys/your-public-key.asc

Private Key Export (Backup)

# ASCII armored format
gpg --armor --export-secret-keys [email protected] > your-private-key.asc

# To secure backup location
gpg --armor --export-secret-keys [email protected] > /secure/backup/your-private-key.asc

⚠️ Security Warning: Keep private key exports in secure, encrypted storage!

πŸ—‘οΈ Removing Keys

Interactive Removal

# Remove private key first (if removing both)
gpg --delete-secret-key [email protected]

# Remove public key
gpg --delete-key [email protected]

Automated Removal Script

Create a script for batch removal:

#!/bin/bash

# Configuration
EMAIL="${1:-your.email@domain.com}"

echo "Removing GPG keys for: $EMAIL"

# Remove private key first
if gpg --list-secret-keys "$EMAIL" >/dev/null 2>&1; then
    echo "Removing private key..."
    gpg --batch --yes --delete-secret-key "$EMAIL"
else
    echo "No private key found for $EMAIL"
fi

# Remove public key
if gpg --list-keys "$EMAIL" >/dev/null 2>&1; then
    echo "Removing public key..."
    gpg --batch --yes --delete-key "$EMAIL"
else
    echo "No public key found for $EMAIL"
fi

echo "GPG key removal completed for $EMAIL"

Save as remove-gpg-keys.sh, make executable, and run:

chmod +x remove-gpg-keys.sh
./remove-gpg-keys.sh [email protected]

πŸ” Key Information

# List all keys
gpg --list-keys

# List secret keys only
gpg --list-secret-keys

# Show key fingerprints
gpg --fingerprint

# Show key details with long format
gpg --list-keys --keyid-format LONG

# Show specific key information
gpg --list-keys [email protected]

πŸ” Encryption & Signing

# Encrypt a file
gpg --encrypt --armor --recipient [email protected] file.txt

# Sign a file
gpg --sign --armor file.txt

# Sign and encrypt
gpg --sign --encrypt --armor --recipient [email protected] file.txt

# Decrypt a file
gpg --decrypt file.txt.asc

# Verify a signature
gpg --verify file.txt.asc

Best Practices

πŸ”’ Security Recommendations

  1. Key Strength:

    • Use 8192-bit RSA keys for maximum security (4096 minimum)
    • Set expiration dates (1-2 years recommended)
    • Use strong passphrases

    Key Length Trade-offs:

    • 4096-bit: Good balance of security and performance (widely supported)
    • 8192-bit: Maximum security but slower operations and larger key files
    • 16384-bit: Overkill for most use cases, very slow performance

  2. Key Management:

    • Backup private keys securely
    • Store backups in multiple secure locations
    • Regularly update and rotate keys

  3. Operational Security:

    • Never share private keys
    • Use separate keys for different purposes
    • Revoke compromised keys immediately

πŸ“‹ Key Naming Conventions

# Descriptive naming for multiple keys
Name-Real: John Doe (Work)
Name-Email: [email protected]

Name-Real: John Doe (Personal)
Name-Email: [email protected]

πŸ”„ Key Lifecycle Management

  1. Creation: Generate with appropriate security parameters
  2. Distribution: Share public keys securely
  3. Usage: Regular encryption/signing operations
  4. Renewal: Update before expiration
  5. Revocation: Revoke if compromised
  6. Backup: Maintain secure backups

Secret Scanning

Before implementing git-crypt, it's important to scan your repository for existing secrets that may have been accidentally committed.

πŸ“– For comprehensive secret scanning guidance, see our dedicated guide: πŸ‘‰ Secret Scanning with Trivy

This guide covers:

  • πŸ” Installing and configuring Trivy
  • πŸ•΅οΈ Advanced scanning techniques
  • 🧹 Pre-commit integration
  • πŸ”§ Remediation workflows
  • πŸ“Š Reporting and monitoring
  • πŸ’‘ Best practices for teams

Troubleshooting

πŸ› Common Issues

"gpg: command not found"

# Check installation
which gpg
gpg --version

# Install if missing (see Installation section)

"gpg: decryption failed: No secret key"

# Check if you have the required private key
gpg --list-secret-keys

# Import missing private key
gpg --import your-private-key.asc

"gpg: can't connect to gpg-agent"

# Restart GPG agent
gpg-connect-agent reloadagent /bye

# Kill and restart agent
gpgconf --kill gpg-agent

Permission Issues (Linux/macOS)

# Fix GPG directory permissions
chmod 700 ~/.gnupg
chmod 600 ~/.gnupg/*

πŸ” Debugging Commands

# Check GPG configuration
gpg --version
gpgconf --list-dirs

# Test GPG functionality
echo "test" | gpg --clearsign

# Verbose output for debugging
gpg --verbose --list-keys

Additional Resources

πŸ“š Documentation & Guides

πŸ› οΈ Tools & GUIs

🌐 Keyservers

Quick Reference

Essential Commands

# Generate key
gpg --full-generate-key

# List keys
gpg --list-keys

# Export public key
gpg --armor --export [email protected]

# Import key
gpg --import keyfile.asc

# Encrypt file
gpg --encrypt --recipient [email protected] file.txt

# Decrypt file
gpg --decrypt file.txt.gpg

This guide provides everything you need to effectively manage GPG keys for encryption, signing, and secure communications.

About

No description, website, or topics provided.

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published