Skip to main content


We use git-crypt to ensure that application secrets are encrypted at rest in git.


  1. Install GPG
  2. Install git-crypt
  3. Generate a key pair, if you don’t have one already. The GitHub documentation is a good reference.
  4. Push your public key to a key server: gpg --send-keys PUBKEYID
  5. Add the pubkey to your GitHub account, again, following the documentation



  • Share your PUBKEYID with an existing member of your team. They will need to trust your key and add you to the repository (see git-crypt documentation above).


Once the above has been setup, update your local repository clone and unlock the secrets:

$ git pull
$ git-crypt unlock

From this point on, git-crypt operates transparently.

You can verify the status of files by using git-crypt status.

This page was last reviewed on 24 August 2021. It needs to be reviewed again on 24 November 2021 .
This page was set to be reviewed before 24 November 2021. This might mean the content is out of date.