[Discussion]: Encryption in Git (Globally)

[IzumiSenaSora]

I used transcrypt in past which is cool! But it's a pain to install every time i clone a repo Then install transcrypt!

Which is why i check the script of transcrypt carefully to understand how it works!

Then after lots of time test and checking google searches i figured it out to encrypt and decrypt easily in all repo while clone or pull or push easily

I modified the .bashrc file in home directory And added this lines

git config --global filter.Crypt.clean "openssl chacha20 -pass file:$HOME/.local/private.key -e -base64 -A -S RanDomSalt -salt -md sha-512 -iter 100000 -pbkdf2 -saltlen 16 -"
git config --global filter.Crypt.required true
git config --global filter.Crypt.smudge "openssl chacha20 -pass file:$HOME/.local/private.key -d -base64 -A -S RanDomSalt -salt -md sha-512 -iter 100000 -pbkdf2 -saltlen 16 -"

Aftet that i added a private.key file in $HOME/.local/ directory and it's done!

Then i added filter in .gitattributes files in every repo

Like this

.env filter=Crypt

Now whenever i clone my repo it's global config thats why encrypted file automatically get decrypted and if i push any commits it get automatically encrypted!

But about diff checking by decrypting then checking and merge system done by transcrypt i can't make it work so i want to discuss about this with you guys!

[IzumiSenaSora]

Finally i got diff checking working but don't know how exactly it's showing me diff correctly

Here's what i did!

git config --global diff.Crypt.textconv "cat"

Now question is that

Is git running filter.Crypt.smudge before showing diff?

[jmurty]

Hi, it's an interesting idea to try and configure a transcrypt-like setup in a central place to reuse it across many projects. But it is going to take a lot of painstaking work – with high potential for bugs – the way you are doing it.

Instead of reverse-engineering the transcrypt script into its underlying Git config options, I think it would be a better approach to:

• Copy the transcrypt script to a central location on your machine
• Init transcrypt in one of your repos to get all the changes it makes to the .git/config file in that repo
• Copy all the Transcypt-specific sections or settings from the repo's .git/config file to your global Git config file: [transcrypt], [filter "crypt"], [diff "crypt"], [merge "crypt"], [merge], [alias] (perhaps others)
• Change the portions of the settings that point to the in-repo transcrypt script to instead point to your central transcrypt file, e.g. update all the \"$(git config transcrypt.crypt-dir ... /transcrypt stuff to instead be /path/to/your/central/transcrypt
• Apply the standard, recommended .gitattributes config lines per repo like .env filter=crypt diff=crypt merge=crypt

I think this approach would give you the best of both worlds: use transcrypt as intended without re-inventing it one Git config setting at a time, while avoiding a new init step for every repository.

However, I'd recommend you have separate password for each repository for better security. You could do this with your central setup by running a command like this in each repo: `git config transcrypt.password 'unique password per repo'