Skip to main content


We use git-crypt to ensure that application secrets are encrypted at rest in git.


  1. Install GPG
  2. Install git-crypt
  3. Generate a key pair, if you don’t have one already. The GitHub documentation is a good reference.
  4. Push your public key to a key server: gpg --send-keys PUBKEYID
  5. Add the pubkey to your GitHub account, again, following the documentation



  • Share your PUBKEYID with an existing member of your team. They will need to trust your key and add you to the repository (see git-crypt documentation above).


Once the above has been setup, update your local repository clone and unlock the secrets:

$ git pull
$ git-crypt unlock

From this point on, git-crypt operates transparently.

You can verify the status of files by using git-crypt status.

This page was last reviewed on 20 September 2022. It needs to be reviewed again on 20 December 2022 .
This page was set to be reviewed before 20 December 2022. This might mean the content is out of date.