Professional automation and management tool for git-crypt with background file watching, whole-codebase encryption, and comprehensive reporting.
git-crypt is excellent for selectively encrypting a few files in a repository (secrets, credentials, etc.). However, if you need to encrypt your entire codebase (or most of it) to protect intellectual property, git-crypt-guardian provides the automation, validation, and background processing to make this practical and performant.
✅ Three encryption modes
all- Encrypt everything in the repositoryexclude-dirs- Encrypt everything except specified directoriesinclude-only- Encrypt only specified directories
✅ Background file watching
- Monitors filesystem for changes
- Automatically stages modified files (triggering git-crypt encryption)
- Smart hash tracking prevents redundant operations
✅ Comprehensive validation
- Pre-flight directory existence checks
- Encryption status verification
- Detects already-encrypted files
- Warning system for potential issues
✅ Rich reporting
- Pre-encryption scan reports
- Post-operation summaries (files encrypted, skipped, errors)
- Live status dashboard
- Export reports in JSON and Markdown
✅ Professional CLI
- Clean, intuitive command structure
- Beautiful terminal output (powered by Rich)
- Progress bars and status indicators
This is a companion tool that works alongside git-crypt (required dependency). We handle:
.gitattributesgeneration- Background file watching
- Auto-staging
- Validation and reporting
While git-crypt handles the actual encryption/decryption. This tool is designed for a use case outside git-crypt's intended scope (encrypting entire codebases vs. a few secret files).
-
git-crypt must be installed:
# macOS brew install git-crypt # Ubuntu/Debian apt-get install git-crypt # Other platforms: https://github.com/AGWA/git-crypt/blob/master/INSTALL.md
-
Python 3.10+ required
pip install git-crypt-guardianOr install from source:
git clone https://github.com/code-of-kai/git-crypt-guardian.git
cd git-crypt-guardian
pip install -e .-
Initialize git-crypt in your repository (if not already done):
cd your-repo git-crypt init -
CRITICAL: Export your encryption key immediately:
git-crypt export-key ~/safe-location/repo-name.key # Store this key securely! You'll need it to unlock later.
-
Initialize git-crypt-guardian:
git-crypt-guardian init
This creates a
.gitcrypt-guardian.ymlconfiguration file. -
Edit configuration to specify what to encrypt:
# .gitcrypt-guardian.yml version: 1 mode: exclude-dirs exclude: - .git - node_modules - _build
-
Validate your configuration:
git-crypt-guardian validate
-
Apply encryption (generates
.gitattributes):git-crypt-guardian apply
-
Start background watcher (optional):
git-crypt-guardian start
git-crypt-guardian init # Initialize in repository
git-crypt-guardian config # Interactive configuration setup
git-crypt-guardian validate # Pre-flight checks
git-crypt-guardian apply # Apply encryption (generate .gitattributes)
git-crypt-guardian start # Start background daemon
git-crypt-guardian stop # Stop background daemon
git-crypt-guardian status # Show encryption status
git-crypt-guardian report # Generate detailed reportSee examples/ directory for complete configuration examples.
version: 1
mode: all # Encrypt everything
watch:
enabled: true
debounce_ms: 500
auto_stage: true
report:
format: both # terminal | file | both
output_dir: .gitcrypt-reports
verbose: trueversion: 1
mode: exclude-dirs
exclude:
- .git
- node_modules
- __pycache__
- "*.log"
- _build/
watch:
enabled: trueversion: 1
mode: include-only
include:
- src/
- lib/
- config/
- "*.secret"
watch:
enabled: falseFor a typical medium-sized project (500 files, ~50MB):
- Initial encryption setup: ~500ms-2s
- Background auto-staging per file: <100ms
- Minimal overhead for daily workflows
See our performance documentation for detailed benchmarks.
- Protecting intellectual property in private repositories
- Encrypting proprietary algorithms or business logic
- Securing entire codebases before pushing to cloud git hosts
- Compliance requirements for source code encryption
- Educational/research projects with sensitive implementations
- File names (visible in git log)
- Directory structure (visible)
- Commit messages (visible)
- File sizes (approximate, visible)
- Git metadata
Before locking your repository for the first time, export your encryption key:
# Export symmetric key (REQUIRED)
git-crypt export-key ~/safe-location/project-name.key
# Store this key securely:
# - Password manager (1Password, LastPass, etc.)
# - Encrypted backup drive
# - Company secrets vaultWhy this matters:
- Running
git-crypt lockwithout exporting the key first will lock you out permanently - You cannot decrypt your files without the key
- Re-running
git-crypt initgenerates a NEW key - old encrypted data becomes inaccessible
# With symmetric key
git-crypt unlock /path/to/project-name.key
# With GPG (if you've added GPG users)
git-crypt unlock # Uses your GPG key automaticallyOption 1: Symmetric Key (Simple, Single User)
git-crypt init
git-crypt export-key team-key.key
# Share team-key.key securely with collaboratorsOption 2: GPG Keys (Better for Teams)
git-crypt init
git-crypt add-gpg-user user1@example.com
git-crypt add-gpg-user user2@example.com
# Each team member can decrypt with their own GPG key- Export key immediately after
git-crypt init - Store in multiple secure locations
- Share with team securely (never commit key to repository!)
- Document key location in team wiki/docs
- Test unlocking on another machine before deleting your working copy
Understanding how git-crypt uses .gitattributes patterns is crucial for proper encryption.
Last matching pattern wins:
# WRONG - exclusions don't work
*.log !filter !diff # Exclude logs
** filter=git-crypt # But ** comes last, so logs get encrypted!
# CORRECT - exclusions come last
** filter=git-crypt # Encrypt everything first
*.log !filter !diff # Then exclude logs (overrides **)git-crypt-guardian generates patterns in the correct order automatically.
# Encrypt specific file
secret.txt filter=git-crypt diff=git-crypt
# Encrypt file pattern
*.secret filter=git-crypt diff=git-crypt
# Encrypt directory and all contents
secrets/** filter=git-crypt diff=git-crypt
# EXCLUDE from encryption
logs/** !filter !diff
*.log !filter !diffAlways verify your patterns work correctly:
# Check what will be encrypted
git-crypt status
# Files show as:
# encrypted: file.txt # Will be encrypted
# not encrypted: file.log # Will NOT be encryptedImportant: Files committed before .gitattributes remain unencrypted in git history:
# This is normal and expected:
git-crypt status
encrypted: file.txt *** WARNING: staged/committed version is NOT ENCRYPTED! ***To properly encrypt existing files:
- Ensure
.gitattributesis committed - Re-stage files:
git rm --cached -r . && git add . - Commit:
git commit -m "Encrypt existing files" - Old unencrypted versions remain in git history (use
git filter-branchif needed)
We welcome contributions! Please see CONTRIBUTING.md for guidelines.
MIT License - see LICENSE for details.
- git-crypt by Andrew Ayer - the underlying encryption tool
- Built with: Click, GitPython, watchfiles, Rich, and PyYAML
- v0.1.0: MVP with init, validate, apply commands
- v0.2.0: Background file watcher daemon
- v0.3.0: System service installation (systemd/launchd)
- v0.4.0: Advanced reporting and analytics
- v1.0.0: Stable release with comprehensive documentation
Note: This project is in active development. We're dogfooding it on real-world projects to ensure reliability and performance. Star and watch for updates!