git-crypt is a useful tool for encrypting private files within public repositories, but it has its limitations. While it ensures that files are encrypted when they reach the remote repository, it does not guarantee their encryption on the local system. As a result, there is still a risk of malware compromising the unencrypted files. This is why I prefer not to use git-crypt for passwords, but rather for private files that do not contain credentials.
However, even though I don't use git-crypt for passwords, I still want to know the lock state of my files. To address this, I wrote a small helper script that provides the status of the files.
#!/usr/bin/env bash
# Get the status of git-crypt
#
# Usage: git-crypt-status
#
set -e
get_encrypted_files() {
git-crypt status -e | sed 's/^ *//g'
}
is_locked() {
git config --local --get filter.git-crypt.smudge > /dev/null \
&& echo "🚨 files are **not** locked 🚨" \
|| echo "🔒 files are locked 🔒"
}
main() {
echo "---------- git-crypt ----------"
get_encrypted_files
echo
is_locked
echo "-------------------------------"
}
main
Then I want to get to informed about the lock state and which files are encrypted when I change into the directories having encrypted files. I'm using zsh so I can leverage the zsh hooks for this.
__git_crypt_status() {
if [[ -d .git-crypt ]]; then
git-crypt-status
fi
}
add-zsh-hook chpwd __git_crypt_status
For this part, you can use whatever you want. direnv is
also a good alternative, and it's also one of my favorite tool. One advantage
of zsh hook over direnv can be that it's globally applied. But similarly,
direnv's advantage can be to have a portable script to share with the other
collaborators. Alternatively, if you want to take it even further, consider
having this state information into your primary prompt of PS1.
It's here also possible to be more creative to auto-encrypt the files back on leaving the directory but I prefer to manage it manually to be able to have more control over the process.