I forked a repo using git-crypt and I need to update the git-crypt key so that the upstream git-crypt key can't decrypt the new repo.
The git-crypt help
documentation and README don't appear to explain how to change a git-crypt key.
I tried various ways of wiping the git-crypt config and re-initializing. Unfortunately, all attempts at doing so seem to break various things like git diff showing errors like smudge filter git-crypt failed
. Some of this behavior is documented at Running git-crypt init
on an already initialized repository renders the data unreadable. None of the suggestions in the comments at https://github.com/AGWA/git-crypt/issues/47 prevent the git diff fatal errors. (I am fine with git diff showing useless output from unencrypted binary file history, but it is not ok for git diff
across some commits to give fatal errors preventing diffing even non-encrypted files.)
This seems like a major requirement of git-crypt, so I can't believe this isn't supported, e.g. if you need to rotate a git-crypt key because someone leaves a company.
With a bit of work you can rotate a central key (not gpg, I don't know about that)
Note that collaborators need to do 'git-crypt lock' before pulling the new changes in order to throw away the old key and work with just text files in plain git mode (although the secrets are encrypted still).
After updating, just git-crypt unlock with the new key.
As stated clearly at https://github.com/AGWA/git-crypt/issues/61 , git-crypt doesn't support rotating git-crypt keys.
I ended up rewriting git history to remove all prior history of the old git-crypt key (I completely removed the encrypted files from git history), then created a new key and checked in the encrypted files. This was time consuming and painful.
This limitation is documented at https://github.com/AGWA/git-crypt/#limitations. You might want to consider not using git-crypt if you need to rotate keys.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With