macOS
brew install git-cryptlocal Homebrew formula metadata
sudo port install git-cryptMacPorts ports tree · devel/git-crypt/Portfile · source: api.github.com
brew
Enable transparent encryption/decryption of files in a git repo. Version 0.8.0 via Homebrew; verified 2026-05-25.
install
brew install git-cryptlocal Homebrew formula metadata
sudo port install git-cryptMacPorts ports tree · devel/git-crypt/Portfile · source: api.github.com
sudo apk add git-cryptAlpine Linux edge package indexes · git-crypt · source: dl-cdn.alpinelinux.org
sudo apt install git-cryptDebian stable package indexes · git-crypt · source: deb.debian.org
sudo dnf install git-cryptFedora Rawhide package metadata · git-crypt · source: dl.fedoraproject.org
nix profile install nixpkgs#git-cryptnixpkgs package indexes · pkgs/by-name/gi/git-crypt/package.nix · source: api.github.com
sudo pacman -S git-cryptArch Linux sync databases · git-crypt · source: geo.mirror.pkgbuild.com
sudo zypper install git-cryptopenSUSE Tumbleweed package metadata · git-crypt · source: download.opensuse.org
scoop install main/git-cryptScoop official bucket manifest trees · bucket/git-crypt.json · source: api.github.com
overview
Enable transparent encryption/decryption of files in a git repo
history
git-crypt is Andrew Ayer's transparent encryption tool for selected files in a Git repository. It uses Git filters so protected files are encrypted in commits and decrypted in a working tree after the repository is unlocked.
The Git history starts in July 2012, and the first release, 0.1, followed in November 2012. The author's project page explains the motivation: protecting secret material in a configuration-management repository while still letting other people inspect and contribute to the non-secret parts.
Version 0.4 in 2014 was a major workflow release: it added optional GPG support, stored the symmetric key inside `.git`, added multiple-key support, introduced `git-crypt status`, and began experimental Windows support. Version 0.5 in 2015 added the man page and improved lock and unlock performance with newer Git versions.
Later releases were maintenance-oriented. Version 0.6 in 2017 added OpenSSL 1.1 support, switched to C++11, honored Git configuration such as `gpg.program`, and added `git-crypt.repoStateDir`. Version 0.7 in 2022 addressed macOS argument-list issues, and version 0.8 in 2025 adjusted OpenSSL support and avoided problematic short GPG key IDs.
git-crypt became a common answer for repositories that are mostly public or shareable but contain a small number of encrypted secrets. Its README and project page stress graceful degradation: contributors without the key can clone and commit, but cannot read encrypted file contents.
Package-manager adoption is broad for a niche security tool, with packages across Homebrew, Debian and Ubuntu, Fedora-family distributions, MacPorts, Nix, Arch-family repositories, Scoop, and others in the input metadata. That breadth reflects stable CLI demand rather than a large framework ecosystem.
Users initialize a repository with `git-crypt init`, mark protected paths in `.gitattributes` with `filter=git-crypt diff=git-crypt`, and unlock after cloning with either GPG keys or an exported symmetric key.
Practitioners use it for secrets that belong beside source or infrastructure code, such as private keys, passwords, API credentials, or environment-specific files. The documentation is explicit about limits: file names, commit messages, symlink targets, and other metadata are not encrypted, and access revocation is not solved for old history.
git-crypt is significant because it turns Git's filter machinery into a packaging-friendly secrets workflow without requiring a service, a custom remote, or a separate encrypted repository. That simplicity made it attractive to developers who wanted secrets-in-repo ergonomics with ordinary Git hosting.
It also has the classic maintainer tradeoffs of a security CLI: OpenSSL compatibility, GPG behavior, Git filter semantics, deterministic encryption constraints, and clear documentation of what is not protected.
security posture
broad file, network, media, or database tool signal.
blue risk · medium confidence · tool
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Config paths the tool may read or write during local use.
.gitattributes.git-crypt/executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
git-crypt | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://www.agwa.name/projects/git-crypt/
install metadata
| Package key | brew:git-crypt |
|---|---|
| Version | 0.8.0 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/git-crypt |
| Homepage | https://www.agwa.name/projects/git-crypt/ |
| Repository | https://github.com/AGWA/git-crypt |
| Upstream docs | https://github.com/AGWA/git-crypt#readme |
| License | GPL-3.0-or-later |
| Source archive | https://www.agwa.name/projects/git-crypt/downloads/git-crypt-0.8.0.tar.gz |
| Last updated | 2026-05-25T16:07:30Z |
| Pulse | updated |
| Dependencies | openssl@4 |
| Build dependencies | docbook, docbook-xsl |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | git-crypt |
| Version Scheme | 0 |
| Revision | 1 |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
git-crypt 0.7.0-0.1+b1
Transparent file encryption in git
https://www.agwa.name/projects/git-crypt
sudo apt install git-cryptgit-crypt
nix profile install nixpkgs#git-cryptgit-crypt 0.7.0-0.1build3
Transparent file encryption in git
https://www.agwa.name/projects/git-crypt
sudo apt install git-cryptgit-crypt 0.7.0-r0
Transparent file encryption in git
https://www.agwa.name/projects/git-crypt
sudo apk add git-cryptgit-crypt-doc 0.7.0-r0
Transparent file encryption in git (documentation)
https://www.agwa.name/projects/git-crypt
sudo apk add git-crypt-docgit-crypt 0.8.0-2.fc44
Transparent file encryption in git
https://www.agwa.name/projects/git-crypt
sudo dnf install git-cryptgit-crypt 0.8.0-1
Transparent file encryption in Git
https://www.agwa.name/projects/git-crypt
sudo pacman -S git-cryptgit-crypt 0.8.0-1.2
Transparent file encryption in git
https://www.agwa.name/projects/git-crypt/
sudo zypper install git-cryptgit-crypt
sudo port install git-cryptmain/git-crypt
scoop install main/git-cryptsource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.