DevOpsGroup Blog Easy Git Crypt User Identification

Easy Git Crypt User Identification

First in series about using Git Crypt in no particular order.

Git crypt is a popular git extension that enables you to transparently encrypt sensitive data in a git repository. Git crypt uses public PGP keys to control who has access to the encrypted data – these are stored in the .git-crypt directory within the repo.

When joining a new project and I clone an existing git-crypt secured repo I am faced with a problem – who do those PGP keys belong to? Who will have access to the encrypted data that I commit to that repo?

At DevOpsGuys our motto is “secure by default” so I might want to just double check who has access before I commit my changes. But how can I do that quickly and easily?

So faced with a new repository I would see something like:

northpole:delivery-platform santa$ pwd
northpole:delivery-platform santa$ ls -al
drwxr-xr-x  18 santa  staff   612B 30 Nov 11:08 ./
drwxr-xr-x   7 santa  staff   238B 23 Nov 15:02 ../
-rw-r--r--@  1 santa  staff   8.0K 22 Nov 20:46 .DS_Store
drwxr-xr-x  17 santa  staff   578B 30 Nov 17:00 .git/
drwxr-xr-x   4 santa  staff   136B 18 Nov 10:51 .git-crypt/
-rw-r--r--   1 santa  staff   241B 18 Nov 10:51 .gitignore
-rw-r--r--   1 santa  staff   1.2K 30 Nov 11:06
drwxr-xr-x   3 santa  staff   102B 22 Nov 22:53 bin/
drwxr-xr-x  14 santa  staff   476B 28 Nov 14:54 configs/
-rwxr-xr-x   1 santa  staff   8.8K 29 Nov 10:48 run
drwxr-xr-x   5 santa  staff   170B 18 Nov 10:51 run_functions/
-rw-r--r--   1 santa  staff   1.6K 30 Nov 11:08 run_vars
drwxr-xr-x   6 santa  staff   204B 22 Nov 23:08 states/
drwxr-xr-x  32 santa  staff   1.1K 18 Nov 10:51 terraform/
drwxr-xr-x   7 santa  staff   238B 22 Nov 23:08 test/

So we’ll drill down into where the GPG Keys are stored

northpole:delivery-platform santa$ tree -L 4 .git-crypt/
└── keys
    └── default
        └── 0
            ├── M2HKA5WRAY2FCA7FXXJ8V3HFAQ4HE2KBVP5R3P5K.gpg
            ├── 8EWMRQGZKNM8F47QQZ7LY3KB7VSAL4MKDHY4GR5Y.gpg
            ├── H9SBCNPHM25DEPCFZVR587Q3663S4EESPU74NBX5.gpg
            ├── HKDKGTT7UJP92QE8YECGPP5QCX2UG96SKD77G436.gpg
            ├── N7Y2S9NGTNRESQ5N2N2FKFUQK5RP868R688J259S.gpg
            └── 3D4MS5VT59G2YA5N3BC88DTM43JPF3DETBRK4AL7.gpg

How do I know who these belong to?

Easy! Git log the key file as git crypt will commit and add some useful metadata in the commit message.

santa$ git log .git-crypt/keys/default/0/M2HKA5WRAY2FCA7FXXJ8V3HFAQ4HE2KBVP5R3P5K.gpg
commit 219f12535f89f4f3e57f8cf167dec8d58efbbed6
Author: Blitzen <>
Date:   Tue Nov 29 10:31:16 2016 +0000
    Add 1 git-crypt collaborator
    New collaborators:
            VP5R3P5K Rudolf (Work key1) <>

Alternatively we could add an alias to the .bashrc or .bash_profile that would print the information in a more concise manner.

alias gpgcryptusers='pushd .git-crypt/keys/default/0; for file in *.gpg; do echo "${file} : " && git log -- ${file} | sed -n 9p; done; popd'

Then run my new alias from the root of a git project:

santa$ gpgcryptusers
/Users/santa/gitprojects/north_pole/delivery-platform/.git-crypt/keys/default/0 /Users/santa/gitprojects/north_pole/delivery-platform
            VP5R3P5K Rudolf (Work key1) <>
            DHY4GR5Y Blitzen <>
            PU74NBX5 Santa Claus <>
            KD77G436 Cupid (Work Key 1) <>
            688J259S Prancer <>
            TBRK4AL7 Dasher (Main key) <>

That was much quicker and easier.

Leave a Reply

Your email address will not be published. Required fields are marked *