DevOpsGroup has joined Sourced, an Amdocs company. Read more about this partnership and what this means for the future in our blog.

DevOpsGroup Blog Easy Git Crypt User Identification

Easy Git Crypt User Identification

First in series about using Git Crypt in no particular order.

Git crypt is a popular git extension that enables you to transparently encrypt sensitive data in a git repository. Git crypt uses public PGP keys to control who has access to the encrypted data – these are stored in the .git-crypt directory within the repo.

When joining a new project and I clone an existing git-crypt secured repo I am faced with a problem – who do those PGP keys belong to? Who will have access to the encrypted data that I commit to that repo?

At DevOpsGuys our motto is “secure by default” so I might want to just double check who has access before I commit my changes. But how can I do that quickly and easily?

So faced with a new repository I would see something like:

northpole:delivery-platform santa$ pwd
northpole:delivery-platform santa$ ls -al
drwxr-xr-x  18 santa  staff   612B 30 Nov 11:08 ./
drwxr-xr-x   7 santa  staff   238B 23 Nov 15:02 ../
-rw-r--r--@  1 santa  staff   8.0K 22 Nov 20:46 .DS_Store
drwxr-xr-x  17 santa  staff   578B 30 Nov 17:00 .git/
drwxr-xr-x   4 santa  staff   136B 18 Nov 10:51 .git-crypt/
-rw-r--r--   1 santa  staff   241B 18 Nov 10:51 .gitignore
-rw-r--r--   1 santa  staff   1.2K 30 Nov 11:06
drwxr-xr-x   3 santa  staff   102B 22 Nov 22:53 bin/
drwxr-xr-x  14 santa  staff   476B 28 Nov 14:54 configs/
-rwxr-xr-x   1 santa  staff   8.8K 29 Nov 10:48 run
drwxr-xr-x   5 santa  staff   170B 18 Nov 10:51 run_functions/
-rw-r--r--   1 santa  staff   1.6K 30 Nov 11:08 run_vars
drwxr-xr-x   6 santa  staff   204B 22 Nov 23:08 states/
drwxr-xr-x  32 santa  staff   1.1K 18 Nov 10:51 terraform/
drwxr-xr-x   7 santa  staff   238B 22 Nov 23:08 test/

So we’ll drill down into where the GPG Keys are stored

northpole:delivery-platform santa$ tree -L 4 .git-crypt/
└── keys
    └── default
        └── 0
            ├── M2HKA5WRAY2FCA7FXXJ8V3HFAQ4HE2KBVP5R3P5K.gpg
            ├── 8EWMRQGZKNM8F47QQZ7LY3KB7VSAL4MKDHY4GR5Y.gpg
            ├── H9SBCNPHM25DEPCFZVR587Q3663S4EESPU74NBX5.gpg
            ├── HKDKGTT7UJP92QE8YECGPP5QCX2UG96SKD77G436.gpg
            ├── N7Y2S9NGTNRESQ5N2N2FKFUQK5RP868R688J259S.gpg
            └── 3D4MS5VT59G2YA5N3BC88DTM43JPF3DETBRK4AL7.gpg

How do I know who these belong to?

Easy! Git log the key file as git crypt will commit and add some useful metadata in the commit message.

santa$ git log .git-crypt/keys/default/0/M2HKA5WRAY2FCA7FXXJ8V3HFAQ4HE2KBVP5R3P5K.gpg
commit 219f12535f89f4f3e57f8cf167dec8d58efbbed6
Author: Blitzen <>
Date:   Tue Nov 29 10:31:16 2016 +0000
    Add 1 git-crypt collaborator
    New collaborators:
            VP5R3P5K Rudolf (Work key1) <>

Alternatively we could add an alias to the .bashrc or .bash_profile that would print the information in a more concise manner.

alias gpgcryptusers='pushd .git-crypt/keys/default/0; for file in *.gpg; do echo "${file} : " && git log -- ${file} | sed -n 9p; done; popd'

Then run my new alias from the root of a git project:

santa$ gpgcryptusers
/Users/santa/gitprojects/north_pole/delivery-platform/.git-crypt/keys/default/0 /Users/santa/gitprojects/north_pole/delivery-platform
            VP5R3P5K Rudolf (Work key1) <>
            DHY4GR5Y Blitzen <>
            PU74NBX5 Santa Claus <>
            KD77G436 Cupid (Work Key 1) <>
            688J259S Prancer <>
            TBRK4AL7 Dasher (Main key) <>

That was much quicker and easier.

Leave a Reply

Your email address will not be published. Required fields are marked *