Help me please. Error: 'git checkout' failed git-crypt has been set up but existing encrypted files have not been decrypted.

[TheBigBear]

I have checked out my branch and tried to decrypt it's data, but got the error mesage:

Error: 'git checkout' failed
git-crypt has been set up but existing encrypted files have not been decrypted

Here is the steps that led up to it.

git checkout -b wnr2200_Flat4 origin/wnr2200_Flat4

Branch wnr2200_Flat4 set up to track remote branch wnr2200_Flat4 from origin.
Switched to a new branch 'wnr2200_Flat4'

git pull

Already up-to-date.

git-crypt status

not encrypted: .git-crypt/.gitattributes
not encrypted: .git-crypt/keys/default/0/B8F91A7C454C712DAF8CAD6A4C7B8EA505CF6FE4.gpg
not encrypted: .gitattributes
not encrypted: .gitignore
not encrypted: archives/backup-2Lv-dn-2015-02-21.tar.gz
not encrypted: archives/backup-2Lv-up-2015-02-25.tar.gz
not encrypted: archives/backup-3Lv-2015-02-25.tar.gz
not encrypted: archives/backup-4Lv-2015-02-25.tar.gz
not encrypted: archives/backup-Bungalow-2015-02-25.tar.gz
not encrypted: archives/backup-Flat1-2015-02-25.tar.gz
not encrypted: archives/backup-Flat4-2015-09-22_initial-upload-bef-chg-root-pwd.tar.gz
not encrypted: archives/backup-Flat4-2015-09-22_w-chgd-root-pwd.tar.gz
not encrypted: archives/backup-Flat4_blank_192.168-2015-09-22.tar.gz
not encrypted: archives/backup-Flat5-2015-02-25.tar.gz
not encrypted: archives/backup-Flat6-2015-02-25.tar.gz
not encrypted: archives/backup-Flat7-2015-02-25.tar.gz
not encrypted: archives/backup-Test_AP-2015-02-25.tar.gz
not encrypted: etc/config/dhcp
not encrypted: etc/config/dropbear
not encrypted: etc/config/firewall
not encrypted: etc/config/luci
not encrypted: etc/config/network
not encrypted: etc/config/rpcd
not encrypted: etc/config/system
not encrypted: etc/config/ubootenv
not encrypted: etc/config/ucitrack
not encrypted: etc/config/uhttpd
    encrypted: etc/config/wireless
not encrypted: etc/dnsmasq.conf
    encrypted: etc/dropbear/dropbear_dss_host_key
    encrypted: etc/dropbear/dropbear_rsa_host_key
not encrypted: etc/firewall.user
not encrypted: etc/group
not encrypted: etc/hosts
not encrypted: etc/inittab
not encrypted: etc/opkg.conf
not encrypted: etc/passwd
not encrypted: etc/ppp/chap-secrets
not encrypted: etc/ppp/filter
not encrypted: etc/ppp/options
not encrypted: etc/profile
not encrypted: etc/protocols
not encrypted: etc/rc.local
not encrypted: etc/services
    encrypted: etc/shadow
not encrypted: etc/shells
not encrypted: etc/sysctl.conf
not encrypted: etc/sysupgrade.conf
    encrypted: etc/uhttpd.crt
    encrypted: etc/uhttpd.key

Then I thought this woudl be the right thing to do, but maybe it wasn't?

git-crypt unlock ~/git-crypt-mykey.key 

git-crypt: error: encrypted file has been tampered with!
error: external filter "git-crypt" smudge failed 1
error: external filter "git-crypt" smudge failed
fatal: etc/config/wireless: smudge filter git-crypt failed
Error: 'git checkout' failed
git-crypt has been set up but existing encrypted files have not been decrypted

And now I suddenly have 6 changed files. (and if I peek into them they all have '^@GITCRYPT^@' at the start of the file.)

git status

On branch wnr2200_Flat4
Your branch is up-to-date with 'origin/wnr2200_Flat4'.
Changes not staged for commit:
  (use "git add/rm <file>..." to update what will be committed)
  (use "git checkout -- <file>..." to discard changes in working directory)

    deleted:    etc/config/wireless
    modified:   etc/dropbear/dropbear_dss_host_key
    modified:   etc/dropbear/dropbear_rsa_host_key
    modified:   etc/shadow
    modified:   etc/uhttpd.crt
    modified:   etc/uhttpd.key

no changes added to commit (use "git add" and/or "git commit -a")

How do I recover from this?

[AGWA]

It appears the problem is that you've been using multiple git-crypt keys with the same repository. I see from the output of git-crypt status that you're using GPG mode, so you should not need to pass a symmetric key to git-crypt unlock. What happens if you just run git-crypt unlock with no arguments?

To avoid issues like this in the future, you should never run git-crypt init more than once, unless it's in a completely new, completely unrelated repository (i.e. not a clone of an already-existing repository). After cloning an encrypted repository, run either git-crypt unlock with no arguments (if you're using GPG mode), or git-crypt unlock /path/to/keyfile (if you're not using GPG mode) (where /path/to/keyfile was exported from the original repository using git-crypt export-key).

I highly recommend you just use GPG mode, so you don't need to think about git-crypt keys at all.

Also, is this a distinct issue from #62?

[TheBigBear]

@AGWA thanks. Yes, it prompted me for my gpg passphrase and things were OK again.

Sorry for not using the tool correctly. Can I clean this inconsistency of different keys for different files up by using git filter-branch ? Or any other way?

Would it be very hard to prevent git-crypt init to be run a second time? Could it warn and require a "-f" to force it to create a new git-crypt symmetric key? Sorry, if this is a 'stupid' question.

Or can I add more than one git-crypt symmetric keys to my repo, and in my case now somehow find the second key and re-encrypt all the files using this second key as well?

Thanks for your advice, and I really appreciate it, but in my use case I was really planning, and kind of counting, on being able to use 'shared' symmetric keys for my git-crypt-ed repos.

[greg-murray-volusion]

This is a really good idea:

"Would it be very hard to prevent git-crypt init to be run a second time? Could it warn and require a "-f" to force it to create a new git-crypt symmetric key"

[alexcroox]

how do we clean up if someone accidentally ran git-crypt initwhen it was already setup? I'm using a key file to unlock.

[freesoft]

how do we clean up if someone accidentally ran git-crypt initwhen it was already setup? I'm using a key file to unlock.

rm -rf .git/git-crypt