Secure Your Git Repositories with git-crypt and Git or Gitea
Learn how to use git-crypt with Gitea to securely encrypt sensitive files in your Git repositories. This guide covers both script-based and Dockerized methods for automating encryption and key management.
Protect your sensitive files in Git repositories with git-crypt and Gitea. In this guide, we will show you two different setups for automating encryption and key management in your Git workflow.
Whether you prefer a script-based approach or a fully Dockerized environment, we have you covered.
Option 1: Script-Based Setup for git-crypt with Gitea
Step-by-Step Guide
Encrypt and Commit Secrets
mkdir secrets
echo "SECRET_KEY=super-secret" > secrets/prod.env
git add secrets/
git commit -m "Add encrypted secrets"
git push origin main
Add GPG Users
gpg --import userkey.asc
git-crypt add-gpg-user --trusted USER_ID
Configure .gitattributes for Encryption
echo "secrets/** filter=git-crypt diff=git-crypt" > .gitattributes
echo "*.key filter=git-crypt diff=git-crypt" >> .gitattributes
echo "*.env filter=git-crypt diff=git-crypt" >> .gitattributes
git add .gitattributes
git commit -m "Add git-crypt configuration"
Initialize git-crypt
git-crypt init
Clone Your Gitea Repository
git clone https://your-gitea-server/user/repo.git
cd repo
Option 2: Dockerized Setup for git-crypt with Gitea
Dockerfile
FROM debian:bullseye-slim
RUN apt-get update && apt-get install -y \
git \
gnupg \
curl \
ca-certificates \
git-crypt \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /app
COPY setup-git-crypt.sh /app/setup-git-crypt.sh
COPY gpg-users /app/gpg-users
RUN chmod +x /app/setup-git-crypt.sh
ENTRYPOINT ["/app/setup-git-crypt.sh"]
docker-compose.yml
yaml
Copy
Edit
version: '3.7'
services:
git-crypt-setup:
build: .
environment:
- REPO_URL=https://gitea.example.com/user/my-secure-repo.git # Your Gitea repo URL here
volumes:
- ./secrets:/app/secrets
- ./gpg-users:/app/gpg-users
networks:
- git-crypt-network
stdin_open: true
tty: true
networks:
git-crypt-network:
driver: bridge
setup-git-crypt.sh
bash
Copy
Edit
#!/bin/bash
set -e
REPO_URL=$REPO_URL
GPG_KEYS_DIR="./gpg-users"
TARGET_DIR="./secure-repo"
if [ -z "$REPO_URL" ]; then
echo "Error: REPO_URL environment variable is required!"
exit 1
fi
echo "[+] Cloning Gitea repo..."
git clone "$REPO_URL" "$TARGET_DIR"
cd "$TARGET_DIR"
echo "[+] Initializing git-crypt..."
git-crypt init
echo "[+] Creating .gitattributes..."
cat <<EOF > .gitattributes
secrets/** filter=git-crypt diff=git-crypt
*.key filter=git-crypt diff=git-crypt
*.env filter=git-crypt diff=git-crypt
EOF
git add .gitattributes
git commit -m "Add git-crypt .gitattributes"
echo "[+] Importing GPG keys and adding users..."
for key in "$GPG_KEYS_DIR"/*.asc; do
echo " -> Importing $key"
gpg --import "$key"
FINGERPRINT=$(gpg --with-colons --import-options show-only --import "$key" | awk -F: '/^fpr:/ { print $10 }')
echo " -> Adding user $FINGERPRINT to git-crypt"
git-crypt add-gpg-user --trusted "$FINGERPRINT"
done
echo "[+] Encrypting and committing secrets..."
mkdir -p secrets
echo "SECRET_KEY=super-secret" > secrets/prod.env
git add secrets/
git commit -m "Add encrypted secrets"
git push origin main
echo "[✓] Git-crypt setup complete and pushed to Gitea."By following the steps outlined in both options, you can secure your sensitive data in Gitea repositories using git-crypt. Whether you prefer a manual script-based approach or want the automation and flexibility of Docker, these methods will protect your secrets and keep them safe in version control.
Both solutions integrate seamlessly with Gitea and allow you to easily share encrypted files with your team while maintaining a high level of security.