Git-crypt provides transparent encryption for sensitive files within Git repositories, allowing teams to store secrets like API keys alongside public code without exposing them.

What is Git-Crypt?#

Git-crypt encrypts chosen files on commit and decrypts them on checkout using AES-256 encryption. It supports GPG keys for multi-user access or symmetric keys, enabling collaboration where non-key holders can still clone and commit. Developers without keys see encrypted binaries, preserving repo usability.

Setup Examples#

Initialize in a repo: git-crypt init to generate a key. Define files to encrypt in .gitattributes, e.g., *.key filter=git-crypt diff=git-crypt or secrets/** filter=git-crypt diff=git-crypt.

Share access: git-crypt add-gpg-user USER_ID for GPG users, committing encrypted keys. Or export a symmetric key: git-crypt export-key /path/to/keyfile.

Unlock after clone: git-crypt unlock (GPG) or git-crypt unlock /path/to/keyfile. Lock with git-crypt lock to re-encrypt.

Windows Installation#

On Windows, download the pre-built binary from https://files.martinkonicek.eu/git-crypt.exe and place it in your Git bin directory, like C:\Program Files\Git\cmd\git-crypt.exe. Ensure Git is installed; no separate GPG needed for symmetric mode. Test with git-crypt --version in Git Bash or CMD.