Git-crypt – transparent file encryption in Git

1. git-crypt

   1 54 9,037 2.6 C++

   Transparent file encryption in git

   

   Git-crypt is a dead product with numerous unresolved issues and drawbacks.

   Newer versions of git cause git to crash when invoking git-crypt[0].

   It doesn’t scale with users: Off-boarding a key is a commit in git. Since it is trivially easy to rewind a git repo before the revocation commit and then decrypt with the revoked key, this means you need to rotate every key under management when any revoke is performed.

   It provides the illusion of asymmetric key encryption, but your asymmetric key wraps a shared symmetric key used to encrypt the entire repository. This also means a user could roll the repository back before a key was revoked and steal the symmetric key used to protect the repository and then use that key to decrypt the repository any time in the future.

   It doesn’t scale with the number of files under management. As a result of how it’s implemented, every invocation is a separate process launch. This means every file triggers an asymmetric unwrap of the symmetric key. If you’re protecting your GPG key with hardware keyfob, decrypting the repository will take a long time.

   This product was cool for a while but is flawed… do yourself a favor: Mozilla’s SOPS is better when coupled with something like AWS KMS.

   [0] https://github.com/AGWA/git-crypt/issues/273

2. Sevalla

   sevalla.com featured

   Deploy and host your apps and databases, now with $50 credit! Sevalla is the PaaS you have been looking for! Advanced deployment pipelines, usage-based pricing, preview apps, templates, human support by developers, and much more!

   

3. sops

   2 162 19,264 9.4 Go

   Simple and flexible tool for managing secrets

   

   How does this compare to mozilla's sops[1]. I've heard sops is also used for this kind of usecase, although it seems to do much more.

   [1] https://github.com/getsops/sops

4. git-agecrypt

   3 1 88 3.1 Rust

   

   There is also git-agecrypt [1], which is the same but uses age instead of gpg. I've used both, they work pretty well.

   [1]: https://github.com/vlaci/git-agecrypt

5. passage

   4 17 959 3.5 Shell

   A fork of password-store (https://www.passwordstore.org) that uses age (https://age-encryption.org) as backend.

   

   You'd be better off with passage[0] -- it's a fork of pass but uses age for encryption. You can just make a directory hierarchy with appropriate .age-recipients files at the right levels.

   [0]: https://github.com/FiloSottile/passage

6. git-secret

   5 24 3,884 7.3 Shell

   :busts_in_silhouette: A bash-tool to store your private data inside a git repository.

   

   I believe git-secret[0] does what you describe. The author of Lunar[1] uses it to hide the private elements in a public repo.

   [0]: https://sobolevn.me/git-secret/

   [1]: https://github.com/alin23/Lunar/

7. Lunar

   6 195 5,268 7.3 Swift

   Intelligent adaptive brightness for your external monitors

   

   I believe git-secret[0] does what you describe. The author of Lunar[1] uses it to hide the private elements in a public repo.

   [0]: https://sobolevn.me/git-secret/

   [1]: https://github.com/alin23/Lunar/

Suggest a related project