How to change git-crypt key

Question

I forked a repo using git-crypt and I need to update the git-crypt key so that the upstream git-crypt key can't decrypt the new repo.

The git-crypt help documentation and README don't appear to explain how to change a git-crypt key.

I tried various ways of wiping the git-crypt config and re-initializing. Unfortunately, all attempts at doing so seem to break various things like git diff showing errors like smudge filter git-crypt failed. Some of this behavior is documented at Running git-crypt init on an already initialized repository renders the data unreadable. None of the suggestions in the comments at https://github.com/AGWA/git-crypt/issues/47 prevent the git diff fatal errors. (I am fine with git diff showing useless output from unencrypted binary file history, but it is not ok for git diff across some commits to give fatal errors preventing diffing even non-encrypted files.)

This seems like a major requirement of git-crypt, so I can't believe this isn't supported, e.g. if you need to rotate a git-crypt key because someone leaves a company.

Answer 1

With a bit of work you can rotate a central key (not gpg, I don't know about that)

1. Delete .gitattributes files. This will unencrypt your secrets.
2. Stash the changes (to store the unencrypted secrets locally)
3. Delete .gitattributes and all your secrets files. Commit. (operation 2+3 are so as you don't have to commit any plaintext secrets)
4. do 'git-crypt lock' which in this instance just throws away your key
5. do 'git-crypt init' to create a new key.
6. Unstash the stashed files and recreate .gitattributes
7. commit

Note that collaborators need to do 'git-crypt lock' before pulling the new changes in order to throw away the old key and work with just text files in plain git mode (although the secrets are encrypted still).

After updating, just git-crypt unlock with the new key.

Answer 2

As stated clearly at https://github.com/AGWA/git-crypt/issues/61 , git-crypt doesn't support rotating git-crypt keys.

---

I ended up rewriting git history to remove all prior history of the old git-crypt key (I completely removed the encrypted files from git history), then created a new key and checked in the encrypted files. This was time consuming and painful.

This limitation is documented at https://github.com/AGWA/git-crypt/#limitations. You might want to consider not using git-crypt if you need to rotate keys.