Skip to content

Git crypt

Last update: 30 Nov 2024

Introduction

In today’s interconnected world, many applications rely on external services and databases. Access to these resources often requires sensitive information like API keys, tokens, and database credentials. However, storing such secrets directly in plain text within a Git repository poses significant security risks:

  1. Accidental Exposure: Human error can lead to unintentional committing of sensitive information.
  2. Malicious Access: Unauthorized individuals who gain access to the repository can exploit the exposed secrets.
  3. Compromised Builds and Deployments: Malicious actors can inject malicious code into builds and deployments by tampering with secrets.

Git-crypt offers a robust solution to this problem. It allows you to encrypt specific files within your Git repository, ensuring that sensitive information remains confidential even if the repository itself is compromised.

The Key Benefits of using Git-Crypt are:

  • Enhanced Security: Git-crypt employs strong encryption algorithms to protect your secrets.
  • Secure Key Management: You can manage encryption keys securely, reducing the risk of unauthorized access.
  • Transparent Integration with GIT: Git-crypt seamlessly integrates with your existing Git workflow.
  • Efficient Encryption and Decryption: The process is automated, requiring minimal manual intervention.

Some practical git-crypt use cases are:

  • Infrastructure as Code: Encrypt Kubernetes secrets and config maps, Terraform configurations, and other infrastructure-related files.
  • Application Configuration: Protect sensitive configuration files containing API keys, database credentials, and other secrets.
  • Developer Credentials: Securely store personal access tokens, SSH keys, and other credentials used for development and deployment.

Alternatives to git-crypt

While Git-Crypt is a powerful tool for securing sensitive information within Git repositories, it’s not the only solution. Here are some alternative approaches you can consider:

  1. Secret Management Tools:

  2. Hashicorp Vault: A comprehensive secret management solution that can store, encrypt, and manage secrets. It integrates with various tools and platforms, including Git.

  3. AWS Secrets Manager: A managed service that enables you to rotate, manage, and retrieve secrets easily. It can be integrated with your CI/CD pipelines to inject secrets into your applications securely.

  4. Azure Key Vault: A cloud-based secret management service that allows you to store, retrieve, and manage cryptographic keys and secrets.

  5. Environment Variables:

  6. CI/CD Pipelines: Set environment variables within your CI/CD pipelines (e.g., Jenkins, GitLab CI/CD, Azure DevOps) to securely inject secrets into your build and deployment processes.

  7. Docker Secrets: Use Docker secrets to securely store and manage sensitive information within Docker containers.

  8. External Configuration Services:

  9. Spring Cloud Config: A distributed configuration management service that allows you to manage externalized configuration for applications. It can be used to securely store and retrieve secrets.

  10. Consul: A distributed, highly available key-value store that can store and retrieve secrets.

How git-crypt works

Git-Crypt is a powerful tool that seamlessly integrates with your existing Git workflow to encrypt sensitive files within your repository without changing the way we use Git.

How It Works:

  • Local Development: You work with your files as usual, without any additional encryption steps. Git-Crypt operates transparently in the background. On your hard disk, the files are all in clear text (not encrypted).
  • Pushing to Remote Repository: During the push process, Git-Crypt sends the sensitive files to the remote repository in an encrypted and binary form.
  • Remote Repository Storage: The encrypted files are stored in the remote repository (GitHub, BitBucket,...) in an unreadable (raw) format. Only authorized users with the correct decryption keys can access the original content.

When someone clones the repository, the encrypted files will remain unreadable unless they have the git-crypt key. Without the key, they can modify, commit, and push all the other unencrypted files as usual.

git-crypt can work in two different modes:

  • shared symmetric key
  • GPG keys

The first mode uses a symmetric key, generated by git-crypt during its initialization. This key should be kept in a secret vault and shared only with those who have to read and modify the sensitive files.

In the GPG mode, each user uses their own GPG key to encrypt and decrypt the sensitive files, but only if their GPG key has been added to the list of the authorized keys.

Which mode you should choose?

Symmetric keys are easier to manage (it is just a file shared among team members) but it is difficult to remove the access once given and a compromised key allows complete access to all sensitive files.

On the contrary, GPG keys allow us to be more selective on who can have access to the files, but its management has a higher overhead.

How to use git-crypt

In this page from my personal website, I describe how to install git-crypt and the configuration steps required to use git-crypt in a project.