CODEWITHSUNDEEP
gitencryption
sunny24365
sunny24365

Reputation: 563

File encryption in Git Repository

Is there any way (in built or add-on) to encrypt individual files in a repository, accessible by limited people. Files when checked in by those folks will auto encrypt and decrypt when checked out. They will stay encrypted if tried to be accessed by other people.

Upvotes: 34

Views: 24946

Answers (4)

camino
camino

Reputation: 10594

one way is to use Vim.

You can just open the file in Vim.

Then input command ":X"

input your password

And share the password to whom need to access it.

Upvotes: 0

Brian Royer
Brian Royer

Reputation: 3

I created this to be a bit more simple and idempotent since Ansible vault did not offer a deterministic encryption method. It's probably not the recommended tool for all use cases but provides a very simple interface for encryption at rest. https://github.com/shyce/shield

Upvotes: 0

hungneox
hungneox

Reputation: 9839

I know my answer is late but there is plenty of alternatives for storing secrets in git repos:

  1. Git-crypt
  2. BlackBox
  3. SOPS
  4. Transcrypt

Most of them use GNU Privacy Guard (GPG), symmetric key encryption, and/or cloud key services (SOPS). If you just want a simple encryption mechanism with password you can also take a look at ansible vault, which doesn't require generating keys for each account.

Upvotes: 24

ikkjo
ikkjo

Reputation: 795

Maybe Blackbox helps?

From their website (https://github.com/StackExchange/blackbox):

Safely store secrets in a VCS repo (i.e. Git, Mercurial, Subversion or Perforce). These commands make it easy for you to Gnu Privacy Guard (GPG) encrypt specific files in a repo so they are "encrypted at rest" in your repository. However, the scripts make it easy to decrypt them when you need to view or edit them, and decrypt them for use in production. Originally written for Puppet, BlackBox now works with any Git or Mercurial repository.

...

Rather than one GPG passphrase for all the files, each person with access has their own GPG keys in the system. Any file can be decrypted by anyone with their GPG key. This way, if one person leaves the company, you don't have to communicate a new password to everyone with access. Simply disable the one key that should no longer have access. The process for doing this is as easy as running 2 commands (1 to disable their key, 1 to re-encrypt all files.)

Upvotes: 2

Related Questions