
Git-crypt – Transparent file encryption in git - remx
https://www.agwa.name/projects/git-crypt/
======
dom0
Previous discussion:
[https://news.ycombinator.com/item?id=14079514](https://news.ycombinator.com/item?id=14079514)

------
tptacek
Reprising a comment from a similar tool:

Don't keep encrypted secrets in your git repositories, if for no other reason
than that it makes access revocation deceptively difficult --- but also
because it encourages you to have a development team in which ordinary devs
have a full complement of secrets on their laptops at all times.

Instead, keep secrets "out of band" and supply them to applications as part of
your deployment process.

[https://news.ycombinator.com/item?id=14080007](https://news.ycombinator.com/item?id=14080007)

~~~
HurrdurrHodor
Maybe it's not a great idea for software projects but for keeping personal
data in git (the author wrote it for dotfiles) it seems brilliant.

~~~
tptacek
If your repo isn't, and never will be, part of a team, I don't care what you
use to encrypt it, and don't have any criticisms to offer of this tool.

------
sigil
I know tptacek regards this as a security antipattern (he's usually right),
but I do it anyway for smaller projects. It's better than committing plaintext
secrets to a repo somewhere.

Couple things I wonder about:

1\. I don't understand why git-crypt is written in C, when a shorter shell
script that calls out to openssl(1) and gpg(1) would seem to suffice.

2\. The symmetric key mode isn't ideal -- the gpg mode is better -- but up
until OpenSSH 6.7 you couldn't easily forward gpg-agent's unix domain socket,
which you need for working with a git checkout on a remote machine. There are
also some issues with the gpg-agent protocol last I checked. Has anyone
actually gotten gpg-agent forwarding to work?

------
agotterer
git-crypt doesn't really seem well maintained any longer.

Two alternatives that I've used and like are:

[https://github.com/StackExchange/blackbox](https://github.com/StackExchange/blackbox)

[https://github.com/elasticdog/transcrypt](https://github.com/elasticdog/transcrypt)

~~~
ausjke
great to know these, thanks!

