6

I forked a repo using git-crypt and I need to update the git-crypt key so that the upstream git-crypt key can't decrypt the new repo.

The git-crypt help documentation and README don't appear to explain how to change a git-crypt key.

I tried various ways of wiping the git-crypt config and re-initializing. Unfortunately, all attempts at doing so seem to break various things like git diff showing errors like smudge filter git-crypt failed. Some of this behavior is documented at Running git-crypt init on an already initialized repository renders the data unreadable. None of the suggestions in the comments at https://github.com/AGWA/git-crypt/issues/47 prevent the git diff fatal errors. (I am fine with git diff showing useless output from unencrypted binary file history, but it is not ok for git diff across some commits to give fatal errors preventing diffing even non-encrypted files.)

This seems like a major requirement of git-crypt, so I can't believe this isn't supported, e.g. if you need to rotate a git-crypt key because someone leaves a company.

JDiMatteo
  • 12,022
  • 5
  • 54
  • 65
  • 2
    It appears that it's not possible, see https://github.com/AGWA/git-crypt/issues/47 – 1615903 Nov 28 '17 at 05:14
  • I checked every git-crypt mailing list entry, and there is no useful information there. The closest thing is the following, which doesn't work and I think nobody responded to this message because it is so obviously incomplete and incorrect: https://lists.cloudmutt.com/pipermail/git-crypt-discuss/2016-September/000010.html – JDiMatteo Nov 28 '17 at 06:35

2 Answers2

7

With a bit of work you can rotate a central key (not gpg, I don't know about that)

  1. Delete .gitattributes files. This will unencrypt your secrets.
  2. Stash the changes (to store the unencrypted secrets locally)
  3. Delete .gitattributes and all your secrets files. Commit. (operation 2+3 are so as you don't have to commit any plaintext secrets)
  4. do 'git-crypt lock' which in this instance just throws away your key
  5. do 'git-crypt init' to create a new key.
  6. Unstash the stashed files and recreate .gitattributes
  7. commit

Note that collaborators need to do 'git-crypt lock' before pulling the new changes in order to throw away the old key and work with just text files in plain git mode (although the secrets are encrypted still).

After updating, just git-crypt unlock with the new key.

Tobega
  • 45
  • 5
Torbjörn Gannholm
  • 71
  • 1
  • 1
  • 3
    This does change the encryption key for new files and new versions of existing files, but one should be aware that old versions remain encrypted with the old key in the git history. – jacquev6 Apr 16 '21 at 15:01
4

As stated clearly at https://github.com/AGWA/git-crypt/issues/61 , git-crypt doesn't support rotating git-crypt keys.

I ended up rewriting git history to remove all prior history of the old git-crypt key (I completely removed the encrypted files from git history), then created a new key and checked in the encrypted files. This was time consuming and painful.

This limitation is documented at https://github.com/AGWA/git-crypt/#limitations. You might want to consider not using git-crypt if you need to rotate keys.

JDiMatteo
  • 12,022
  • 5
  • 54
  • 65
  • The git-crypt limitations (the second link in this response) now state that "there's no support for rotating the key", so maybe the first sentence of the last paragraph of this answer should be updated. – jacquev6 Apr 16 '21 at 15:04