Transparent file encryption for Git repositories, encrypting specified files on commit and decrypting on checkout
git-crypt provides transparent file encryption within Git repositories, allowing developers to store sensitive files alongside public code. Files marked for encryption in a .gitattributes file are automatically encrypted when committed and decrypted when checked out. The tool supports both GPG-based key sharing for multiple users and symmetric key export for secure key distribution.
The encryption implementation uses AES-256 in CTR mode with a synthetic IV derived from SHA-1 HMAC, providing semantic security under deterministic chosen-plaintext attack. This approach ensures that while encryption is deterministic (required for Git to detect changes), it only reveals whether two files are identical. Users configure encryption by running git-crypt init and specifying file patterns like *.key filter=git-crypt diff=git-crypt in .gitattributes.
git-crypt excels at protecting specific sensitive files (API keys, certificates, credentials) within largely public repositories. It gracefully degrades so developers without access keys can still clone and commit to repositories containing encrypted files. However, it has limitations including inability to encrypt file names or metadata, no support for access revocation, and incompatibility with some Git GUIs that may leave files unencrypted.