A Simple Guide For Updating Encrypted Files When Using Git-Crypt

When working with codebases, it’s necessary to encrypt secrets. Secrets, like keys or passwords, provide private information needed to access or connect to other applications or resources. One popular choice for handling file encryption in codebases is git-crypt. It makes it simple to quickly encrypt/decrypt specific files that you choose in a git repository. This allows you to have secrets stored and encrypted files and still keep the repository public.

If you are unsure of why you might need to use secrets, this article from Cyberark gives a great in-depth look into what secrets are. It also gives some examples of how they can be used and why they might be valuable for your software projects.

Just as it is important to have secure file encryption for a repository, it is similarly important to make sure you only commit encrypted versions of those files. Using a careful process to commit encrypted files is essential to ensure there are no un-encrypted versions of the file anywhere in the git history. If there are any versions of a secrets file in the git history, any secrets or data in the file are no longer secure.

The process to clean the git history can be tricky, so it is smart to safely update and commit encrypted files. Below is the process I use to make sure I never commit an un-encrypted version accidentally when updating a file.

Steps to Update Encrypted Files

1. git-crypt lock –force; git-crypt unlock <git-crypt-key>

This line is run assuming that the repository is already unlocked and the secret file is not encrypted on your local machine. If you are unsure of the encryption state, you only need to run this line if you see that the file is marked as `not encrypted` when running “git-crypt status” on the command line.

2. Make desired changes to secrets file

3. git commit .secrets -m “Updating secrets file”

You need to run this command on the command line. When using a Git UI (like GitUp), I ran into issues where it would stage/commit the un-encrypted version.

4. git-crypt lock

5. git-crypt status

If you see something like this for the file you updated:

  • encrypted: .secrets

You should be good to push!

If you see something like this message:

  • encrypted: .secrets *** WARNING: staged/committed version is NOT ENCRYPTED! ***”

In this case, you’ll want to delete or revert the commit. This time, make sure the commit is done on the command line. (This error message happened when I used Gitup to stage & commit the file.) Then you can try steps 4 & 5 again.

6. git push

Updating Encrypted Files When Using Git-Crypt

And ta-da! You have successfully updated the encrypted file, ensuring there are no un-encrypted versions of the file existing in the repository history.