Manual steps to decrypt a file?

[sensedeep]

I'm using a CI build that downloads a zip archive from github. At build time, I need to decrypt a file that has been encrypted with git-crypt using gpg. However, the CI build cannot decrypt the files because it is not a cloned directory tree and thus I cannot run 'git crypt unlock'.

I see the .git-crypt tree, but what are the manual steps to gpg to decrypt a file?

Any guidance appreciated.

[chris-griffin]

I know this is an outdated question, but for anyone else running into trouble, you can manually decrypt using gpg if git-crypt unlock is not working correctly

1. Decrypt the secret key git-crypt uses to encrypt secret files with gpg gpg --decrypt /path/to/repo/.git-crypt/keys/default/0/XXXXX.gpg --output /path/to/repo/.git-crypt/keys/default/0/decrypted.key

2. Use the git-crypt secret key to decrypt encrypted files git-crypt unlock /path/to/repo/.git-crypt/keys/default/0/decrypted.key

3. Read the desired (now decrypted) files with cat or similar command

WARNING: Make sure to encrypt the files and remove decrypted.key before committing to git

[mobsense]

Thank you, this helps. But not quite 100%. This still requires a full .git sub-directory.

Is there anyway of doing the git-crypt unlock with the decrypted.key if there is not a .git sub-directory.

I only need to decrypt a few specific named files. E.g.

I've got a CONFIG/keys.json file that I need to decrypt when our CI/CD downloads a ZIP archive from github. This does NOT contain the .git directory. The gpg --decrypt works great (when used with --no-tty --yes --passphrase XXX). I get the decrypted.key, but now I need to decrypt the actual file.

What is the GPG command to decrypt that CONFIG/keys.json file.

Any help, much appreciated.

Thanks

[dstendardi]

@mobrien curious if you managed to solve your issue since then :-)

[mobsense]

No. I do a minimal git clone:

git clone --depth=20 --single-branch git@github.com:${owner}/${name} ${base}

[syco]

This is old, but it' still the only result that comes up most of the time, so I leave the solution here..

cat encrypted_file | git-crypt smudge --key-file exported.key > decrypted_file

https://github.com/AGWA/git-crypt/issues/74

[Oneiroi]

To update on @syco 's comment Jun 5th:

cd ./path/to/your/git-crypt/repo;
git-crypt export -k default ./out.pgp;
find . -type f | grep -v out.pgp | while read f; do cat $f | git-crypt smudge --keyfile out.pgp > ${f}.recovered; done;

All files should now be decrypted and left with extension .recovered you can either extend this to rename the file if you want but the above allows you to err on the side of caution e.g.

cd ./path/to/your/git-crypt/repo;
git-crypt export -k default ./out.pgp;
find . -type f | grep -v out.pgp | while read f; do cat $f | git-crypt smudge --keyfile out.pgp > ${f}.recovered && mv -f ${f}.recovered $f; done;

Personally I do not take the complete automatic approach opting instead to review the recovered content and move it as desired.

[matschaffer]

Thanks for the tip @syco - exactly what I need to fix a case where a file had switched from encrypted to unencrypted via gitattributes but the committed file was still encrypted.

Incase it helps anyone else, I didn't need to give a keyfile to smudge explicitly. This worked fine:

cat overly-encrypted-file | git-crypt smudge > unencrypted-version
mv unencrypted-version overly-encrypted-file

[adrian-gierakowski]

any ideas how to decrypt a file without using git-crypt at all?

[MarcelRobitaille]

@adrian-gierakowski I don't think it's possible:

git-crypt uses its own format for keys and files