How to encrypt files of Git

I decided to migrate my app source to Github fromGitlab.
And I wanted to secure only my important data.
I found one solution by googling, it’s git-secret.

This time I will show you how to encrypt your file in repository and decrypt again.
It’s very simple, just need only this command

git secret reveal

How it is possible?

Install git-secret

brew install git-secret

First, you need to install git-secret.
It may takes long time

GPG

git-secret secures your commit with gpg.
So you need to setup gpg key.

Register GPG Key

gpg may be already installed…

gpg --gen-key

Real name: {your id to identify your key}
Email address: {your email address}
You selected this USER-ID:
    "id <email>"
Change (N)ame, (E)mail, or (O)kay/(Q)uit? o

After entering your name and email.
GPG will ask new password for gpg key.

Export Public GPG Key

When someone try to decrypt your secret commit, he must have your public key.

gpg  --armor --export {your email} > {public key file name}

Export Private GPG Key

If you need to share your private key for like Github Workflows, you should export private key.

gpg --armor --export-secret-key {your email}

-----BEGIN PGP PRIVATE KEY BLOCK-----
...
-----END PGP PRIVATE KEY BLOCK-----

Your private key like above.

Extract GPG Private Key for CI

gpg --armor --export-secret-key {your email} | tr '\n' ',' | pbcopy

it will replace all line change characters with “,”

Or you can use base64

gpg --armor --export-secret-key {your email} | base64 | pbcopy

You can register private key and password into Github.
Your repository > Settings > Secrets > New repository secret.

Don’t forget erase last line change!

Setup git-secret

Initialize git-secret

To use git-secret, you need to initialize first.

git secret init

Add user

And you need tell to git-secret who will encrypt commits.
You should input your email which you entered for gpg key.

git secret tell {your email of GPG key}

Add Files

Then you can encrypt your file with ‘git secret add’ instead of ‘git add.

git secret add {file}

Your can see the file like {your original file name}.secret

Encrypt files

Now is last step, you should this command before committing.

git secret hide

Import GPG Key for CI

If you are using CI like Github Actions, you need to import gpg key.

gpg --import {gpg private key file}

However you may see the error like this.

To solve this error, you need some options.

gpg --batch --no-tty --yes --import {your gpg key file path}

GPG Options

--batch --no-batch

Use batch mode. Never ask, do not allow interactive commands. — no-batch disables this option. Note that even with a filename given on the command line, gpg might still need to read from STDIN (in particular if gpg figures that the input is a detached signature and no data file has been specified). Thus if you do not want to feed data via STDIN, you should connect STDIN to /dev/null.

--no-tty

Make sure that the TTY (terminal) is never used for any output. This option is needed in some cases because GnuPG sometimes prints warnings to the TTY even if — batch is used.

--yes

Assume “yes” on most questions.

Decrypt Files

When you want to see original file, just run ‘reveal’ command

git secret reveal -p {password for gpg key}

Congratulations!

Now you can secure your file even your repository is public.