README
¶
encrypten
A git-crypt compatible encryption tool written in Go with full worktree support.
Note: This project is not affiliated with or endorsed by git-crypt.
Features
- git-crypt compatible — encrypts and decrypts files using the same format (AES-256-CTR + HMAC-SHA1)
- Full worktree support — lock/unlock worktrees independently without affecting other worktrees
- Static binary — single binary with no runtime dependencies (
CGO_ENABLED=0) - Go stdlib crypto only — no external cryptographic dependencies
- Cross-platform — Linux, macOS, and Windows
Installation
From source
go install github.com/keiritz/encrypten/cmd/encrypten@latest
From release binaries
Download pre-built binaries from the Releases page.
Quick Start
# Generate a key
encrypten keygen my-key
# Initialize encryption in a repository
cd my-repo
encrypten init
# Define files to encrypt in .gitattributes
echo 'secrets/** filter=git-crypt diff=git-crypt' >> .gitattributes
# Unlock (decrypt) files with a key
encrypten unlock my-key
# Lock (encrypt) files
encrypten lock
# Check encryption status
encrypten status
Commands
| Command | Description |
|---|---|
init |
Initialize encryption in a repository (generates key, sets up filters) |
unlock <KEY_FILE> |
Decrypt files using the specified key file |
lock |
Encrypt files |
status |
Show encryption status of tracked files |
keygen <FILE> |
Generate a new encryption key |
export-key <FILE|-> |
Export the current key to a file or stdout |
clean |
Git clean filter (encrypts on commit) |
smudge |
Git smudge filter (decrypts on checkout) |
diff |
Git diff textconv filter |
version |
Display version |
Flags
lock --force/lock -f— Lock even with uncommitted changesunlock --force/unlock -f— Unlock even with uncommitted changes
Worktree Support
encrypten supports git worktrees natively. Each worktree can be locked/unlocked independently:
# Main worktree
encrypten unlock my-key
# Create a worktree
git worktree add ../my-feature feature-branch
# Unlock the worktree (uses the shared key automatically)
cd ../my-feature
encrypten unlock
# Lock this worktree without affecting main
encrypten lock
Differences from git-crypt
| encrypten | git-crypt | |
|---|---|---|
| Worktree support | Full per-worktree lock/unlock | Not supported |
| Language | Go | C++ |
| Binary | Static, single file | Requires OpenSSL |
| GPG key sharing | Not supported | Supported |
| Crypto | Go stdlib only | OpenSSL |
License
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
encrypten
command
|
|
|
internal
|
|
|
crypto
Package crypto provides AES-256-CTR encryption and HMAC-SHA1 authentication compatible with git-crypt.
|
Package crypto provides AES-256-CTR encryption and HMAC-SHA1 authentication compatible with git-crypt. |
|
fileformat
Package fileformat handles the git-crypt encrypted file format, including the "\x00GITCRYPT\x00" header.
|
Package fileformat handles the git-crypt encrypted file format, including the "\x00GITCRYPT\x00" header. |
|
gitutil
Package gitutil provides Git operations via exec.Command for configuring filters, diffs, and repository attributes.
|
Package gitutil provides Git operations via exec.Command for configuring filters, diffs, and repository attributes. |
|
keyfile
Package keyfile handles reading and writing of symmetric key files used for git-crypt compatible encryption.
|
Package keyfile handles reading and writing of symmetric key files used for git-crypt compatible encryption. |
Click to show internal directories.
Click to hide internal directories.