Use Cases - git-crypt
Last Updated: 2026-03-30 by Keming He based on
git-cryptv0.8.0 release
Important
This guide is for macOS / Linux users with POSIX-compatible shell (sh, bash, zsh).
For Windows users: See AGWA/git-crypt - INSTALL.md - Experimental Windows Support.
Transparent file encryption in Git repositories using GPG keys.
- Use Cases - git-crypt
- Transparent encryption: Encrypt files automatically on commit, decrypt on checkout - no manual steps
- AES-256 encryption: Industry-standard symmetric encryption for file contents
- Works with existing workflows: Use normal git commands - clone, pull, push, diff all work seamlessly
- GPG-based access control: Grant access using GPG public keys - no shared secrets to manage
Important
GPG key required. git-crypt uses GPG keys to encrypt the repository's symmetric key. You need a GPG key with an encryption-capable subkey.
If you don't have a GPG key, see Use Cases - GPG Commit Signing to generate one.
Verify your key has encryption capability:
gpg --list-secret-keys --keyid-format=longLook for [E] (Encrypt) capability in the output:
sec rsa4096/ABCDEF1234567890 2026-02-06 [SC] [expires: 2029-02-05]
1234567890123456789012345678901234567890
uid [ultimate] Your Name <your-email@example.com>
ssb rsa4096/FEDCBA0987654321 2026-02-06 [E] [expires: 2029-02-05]The ssb line with [E] indicates an encryption-capable subkey. If missing, you need to add one with gpg --edit-key YOUR_KEY_ID then addkey.
macOS:
brew install git-cryptUbuntu/Debian:
sudo apt-get install git-cryptVerify installation:
git-crypt --versionExpected output: git-crypt 0.8.0 (or similar version number).
Note
Initialize git-crypt in an existing Git repository. The repository must have at least one commit.
Initialize git-crypt:
git-crypt initThis creates a random AES-256 key stored in .git/git-crypt/keys/default.
Add yourself as a trusted user:
# Using email (from uid line)
git-crypt add-gpg-user your-email@example.com
# Or using long key ID (from sec line, after rsa4096/)
# git-crypt add-gpg-user ABCDEF1234567890
# Or using full fingerprint (40-character line below sec)
# git-crypt add-gpg-user 1234567890123456789012345678901234567890Any identifier that uniquely matches your GPG key works. See your Prerequisites output for these values.
Tip
This command automatically commits .git-crypt/ files to the repository. These files contain the encrypted symmetric key - one copy per authorized GPG key.
Verify setup:
ls .git-crypt/You should see keys/ directory with your GPG-encrypted key file.
Warning
Security: .gitattributes tampering risk. git-crypt cannot be used securely unless the entire repository is protected against tampering. An attacker who can mutate your repository can alter the .gitattributes file to disable encryption. Use Git signed tags or commits to protect repository integrity.
Encryption patterns are defined in .gitattributes using Git's filter and diff attributes.
PATTERN filter=git-crypt diff=git-crypt
Where PATTERN is a gitignore-style glob pattern with one critical exception: specifying only a directory path like /dir/ does NOT encrypt files beneath it. You must use dir/** to encrypt entire directory trees.
# Encrypt all files in secrets/ directory
secrets/** filter=git-crypt diff=git-crypt
# Encrypt specific file types
*.key filter=git-crypt diff=git-crypt
*.pem filter=git-crypt diff=git-crypt
# Encrypt environment files
.env filter=git-crypt diff=git-crypt
.env.* filter=git-crypt diff=git-crypt
# Encrypt files with specific naming
**/credentials.json filter=git-crypt diff=git-crypt
**/secrets.yaml filter=git-crypt diff=git-crypt
Important
Exclusion rules MUST be at the END of the file. Git attributes use last-match-wins semantics. If you need to exclude files from encryption, place those rules after the encryption rules.
Correct order:
# Encrypt everything in secrets/
secrets/** filter=git-crypt diff=git-crypt
# EXCEPTION: Do NOT encrypt the README (must be LAST)
secrets/README.md !filter !diff
Incorrect order (README would be encrypted):
# This exclusion is overridden by the rule below - WRONG
secrets/README.md !filter !diff
secrets/** filter=git-crypt diff=git-crypt
The .gitattributes file itself should never be encrypted - it must be readable to determine which files to decrypt.
When you clone a git-crypt repository, encrypted files appear as binary data until unlocked.
git clone git@github.com:username/repo.git # via SSH
# git clone https://github.com/username/repo.git # via HTTP
cd repo
# Unlock with your GPG key
git-crypt unlockgit-crypt automatically finds your GPG key if you were added as a trusted user.
# List all files and their encryption status
git-crypt statusOutput shows which files are encrypted:
encrypted: secrets/api-key.txt
encrypted: .env
not encrypted: README.md
not encrypted: .gitattributesTest that files are actually encrypted in the repository:
# Lock the repository (re-encrypts files in working directory)
git-crypt lock
# View an "encrypted" file - should be binary garbage
cat secrets/api-key.txt
# Unlock to restore readable content
git-crypt unlockVerify encryption in git history:
# Show raw blob content (should be encrypted)
git show HEAD:secrets/api-key.txt | head -c 100 | xxdEncrypted content starts with \x00GITCRYPT.
Important
Back up your GPG private key. If you lose access to your GPG key, you lose access to the encrypted repository. There is NO recovery mechanism.
Export your private key for secure backup (e.g., password manager, offline storage):
# Export private key (includes encryption subkey)
gpg --armor --export-secret-keys YOUR_KEY_ID > private-key-backup.asc
# Export public key (for sharing with collaborators)
gpg --armor --export YOUR_KEY_ID > public-key.ascStore private-key-backup.asc securely. After importing to your backup location, delete the exported file:
# macOS (BSD) - best-effort overwrite on traditional disks
rm -P private-key-backup.asc public-key.asc
# Linux (GNU) - best-effort overwrite on traditional disks
shred -u private-key-backup.asc public-key.ascWarning
Secure deletion limitation: Overwrite-based deletion (rm -P, shred) does not guarantee secure erasure on modern SSDs or journaled/copy-on-write filesystems (APFS, Btrfs, ZFS, ext4). Blocks may be remapped, retained in snapshots, or bypassed by TRIM operations. For sensitive key material: export directly to encrypted volumes (FileVault, LUKS), use tmpfs/RAM disk for temporary files, or avoid writing to disk entirely by piping to password managers.
To grant repository access to another user:
-
Obtain their GPG public key:
# They export their public key gpg --armor --export THEIR_KEY_ID > collaborator-public.asc # You import it gpg --import collaborator-public.asc
-
Add them to git-crypt:
git-crypt add-gpg-user THEIR_KEY_ID
-
Push the changes (auto-committed by git-crypt):
git push
The collaborator can now clone and git-crypt unlock using their GPG key.
Important
git-crypt has no revocation mechanism. Once someone has access, they can decrypt ALL historical commits forever. Removing their .git-crypt/ key file only prevents future unlocks from new clones. Any user with an old clone and the old key can still decrypt all historical commits, even after re-initialization.
To truly revoke access requires rotating all secrets:
- Rotate all secrets in the repository (API keys, passwords, certificates, etc.)
- Re-initialize git-crypt with a new symmetric key
- Re-add only authorized users
- Force-push the new history (destructive operation)
Even after re-initialization, anyone with the old key can still access all historical commits in old clones. This is why secret rotation is critical, not just key rotation. See Known Limitations for more details.
If you add .gitattributes patterns for files already tracked in the repository, they are not automatically re-encrypted. You must force re-encryption.
Force re-encryption of all files:
git-crypt status -fThis re-stages files that should be encrypted based on current .gitattributes patterns.
Commit the re-encrypted files:
git add -A
git commit -m "chore(security): encrypt existing files with git-crypt"Previous commits still contain unencrypted content - see Known Limitations about retroactive encryption.
When working with multiple branches, encryption status can become inconsistent if branches have different .gitattributes configurations.
Best practice: Update .gitattributes on your main/default branch first, then rebase feature branches.
If encryption patterns changed on main:
# On your feature branch
git fetch origin
git rebase origin/mainIf files need re-encryption after rebase:
# Remove files from index (keep working copy)
git rm --cached path/to/file
# Re-add to trigger encryption
git add path/to/file
# Commit the re-encrypted version
git commit --amend --no-editFor complex Git workflows, see Use Cases - Git.
Symptom:
Error: no GPG secret key available to unlock this repositoryCauses and fixes:
-
GPG key not imported:
gpg --list-secret-keys --keyid-format=long
If your key is missing, import your backup:
gpg --import private-key-backup.asc -
GPG agent not running:
gpgconf --kill gpg-agent gpg-agent --daemon git-crypt unlock
-
You were never added as a trusted user: Contact the repository owner to run
git-crypt add-gpg-user YOUR_KEY_ID.
Symptom: git-crypt status shows files as "not encrypted" that should be encrypted.
Causes and fixes:
-
Pattern not matching: Check
.gitattributessyntax. Test with:git check-attr filter path/to/file
Should output
path/to/file: filter: git-crypt. -
Files committed before pattern was added: Force re-encryption:
git-crypt status -f git add -A git commit -m "chore: re-encrypt files" -
Exclusion rule overriding encryption: Check rule order in
.gitattributes- see Critical: Exclusion Rule Order.
Symptom: Merge shows binary conflict markers in encrypted files.
Fix: Resolve by choosing one version entirely:
# Keep our version
git checkout --ours path/to/file
git add path/to/file
# Or keep their version
git checkout --theirs path/to/file
git add path/to/fileManual merge of encrypted content is not possible - you must choose one side or re-create the file after unlocking.
| Limitation | Description | Mitigation |
|---|---|---|
| No retroactive encryption | Encrypting a file does not encrypt its history. Previous commits remain unencrypted. | Retroactively encrypt files with git-crypt-retro (new), or rewrite history with git-filter-repo (mature), or start fresh. |
| File paths visible | Only file contents are encrypted. File names and paths are visible to anyone. | Use generic names like secrets/config.enc instead of secrets/aws-credentials.json. |
| Metadata leakage | File sizes, modification times, and commit metadata are not hidden. | Accept this limitation or use a different solution for high-security needs. |
| No revocation | Removing a user's key file does not prevent access to previously cloned repositories. Anyone with old clones and old keys can decrypt all historical commits forever. | Rotate all secrets when removing users. Re-initialization only prevents future access, not historical access. |
| Binary diffs | Encrypted files show as binary - git diff is not useful. |
Run git-crypt unlock before reviewing changes. |
| GUI incompatibility | Does not work reliably with some third-party Git GUIs like Atlassian SourceTree and GitHub for Mac. Files may be left unencrypted. | Use command-line Git or verify encryption status after GUI operations with git-crypt status. |
| Patch application | Encrypted files cannot be patched with git-apply unless the patch itself is encrypted. |
Use git diff --no-textconv --binary to generate encrypted patches, or apply plaintext patches outside Git using the patch command. |
- Use Cases - GPG Commit Signing - Generate and manage GPG keys
- Use Cases - Git - Git workflows, rebasing, and history rewriting
- Use Cases - SSH Authentication - SSH key setup for Git hosting