Git encryption that works

Intructions on git encryption are to found around the web, some don’t work, some are too difficult. The following works for me. Make sure you understand what you’re doing if you decide to use it. All thanks, kudos, merit and attribution to this excellent post.

  1. Make sure git and openssl are installed and working on your system
  2. Create a directory in $HOME:
    mkdir ~/.gitencrypt
  3. Make it accessible only to user
    chmod 0700 ~/.gitencrypt
  4. Create the 3 following files in this directory:
    cat > ~/.gitencrypt/clean_filter_openssl <<EOF
    openssl enc -base64 -aes-256-ecb -S $SALT -k $PASSWORD
    cat > ~/.gitencrypt/diff_filter_openssl <<EOF
    openssl enc -d -base64 -aes-256-ecb -k $PASSWORD -in "" 2> /dev/null || cat ""
    cat > ~/.gitencrypt/smudge_filter_openssl <<EOF
    openssl enc -d -base64 -aes-256-ecb -k $PASSWORD 2> /dev/null || cat
  5. Make these 3 files executable:
    chmod +x ~/.gitencrypt/*
  6. Generate a random, 24-hex characters salt and a random password, and set them in the files created above:
    RANDOM_SALT=$(tr -dc 'A-F0-9' < /dev/urandom | head -c16)
    RANDOM_PASSWORD=$(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c18)
    sed -i -e "s/SALT=/SALT=${RANDOM_SALT}/" ~/.gitencrypt/*
    sed -i -e "s/PASSWORD=/PASSWORD=${RANDOM_PASSWORD}/" ~/.gitencrypt/*
  7. Create a git repository:
    mkdir repos
    cd repos
    git init
  8. Append lines to .git/config:
    cat >> .git/config <<EOF

    [filter “openssl”] smudge = ~/.gitencrypt/smudge_filter_openssl clean = ~/.gitencrypt/clean_filter_openssl [diff “openssl”] textconv = ~/.gitencrypt/diff_filter_openssl EOF

  9. Add a .gitattributes file
    cat > .gitattributes <<EOF
    * filter=openssl diff=openssl
  10. Now all commits will be encrypted.
écrivain et éditeur

Après plusieurs vies, j’écris maintenant