Transparent file encryption for Git repositories using AES-256, encrypting files on commit and decrypting on checkout
git-crypt provides transparent file encryption within Git repositories, encrypting specified files when committed and decrypting them when checked out. Files are selected for encryption using .gitattributes patterns, allowing repositories to contain both public and private content. Developers without decryption keys can still clone and commit to repositories containing encrypted files, enabling secure storage of secrets alongside public code.
The tool supports two authentication modes: GPG-based multi-user access through git-crypt add-gpg-user commands that store encrypted keys in the repository, and symmetric key mode using git-crypt export-key for manual key distribution. After initial setup with git-crypt init or unlocking with git-crypt unlock, all encryption and decryption operations happen transparently during normal Git operations.
git-crypt uses AES-256 encryption in CTR mode with synthetic IVs derived from SHA-1 HMACs, providing semantic security under deterministic chosen-plaintext attacks. This approach ensures that while encryption is deterministic (required for Git to detect file changes), it reveals no information beyond file identity. The tool is designed for repositories where most content is public but specific files like API keys or certificates require encryption, rather than full-repository encryption scenarios.