GNU bug report logs - #79050
vc-git incorrectly treats git-crypt encrypted files as binary, even when unlocked

Previous Next

Package: emacs;

Reported by: James Cherti <contact <at> jamescherti.com>

Date: Sat, 19 Jul 2025 18:01:02 UTC

Severity: normal

Tags: notabug

Done: Sean Whitton <spwhitton <at> spwhitton.name>

Full log

View this message in rfc822 format

From: James Cherti <contact <at> jamescherti.com>
To: Sean Whitton <spwhitton <at> spwhitton.name>, Richard Stallman <rms <at> gnu.org>
Cc: 79050 <at> debbugs.gnu.org
Subject: bug#79050: vc-git incorrectly treats git-crypt encrypted files as binary, even when unlocked
Date: Tue, 29 Jul 2025 11:17:10 -0400

On 2025-07-29 04:14, Sean Whitton wrote:
> Hello,
> 
> On Mon 28 Jul 2025 at 10:24pm -04, Richard Stallman wrote:
> 
>> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
>> [[[ whether defending the US Constitution against all enemies,     ]]]
>> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>>
>>    > When using vc-diff in a Git repository where all files are
>>    > encrypted with git-crypt https://github.com/AGWA/git-crypt
>>    > the output does not reflect actual changes.
>>
>> What is the use case of git-crypt?  Why put code in a public repo
>> and make it impossible for the public to see?
> 
> I maintain something similar: git-remote-gcrypt[1]
> 
> In short, Git repos don't have to be public.
> I keep everything in Git, in many private repositories.
> 
> [1]  https://spwhitton.name/tech/code/git-remote-gcrypt/

Hello Sean and Richard,

The git-remote-gcrypt tool sounds interesting.
I'll take a closer look at it.

Tools such as git-crypt are relevant for:
- Infrastructure-as-code repositories containing secrets
  (e.g., sensitive credentials or API keys in configuration
  files).
- Personal knowledge bases, journals, internal
  research, etc.
- Prototypes not intended for public distribution.
- And many other similar scenarios.

In such contexts, placing code or data in an internal or
a semi-public Git repository (e.g., hosted on a private
GitLab/GitHub instance, corporate Git server, or a
self-hosted server) does not imply that its contents should
be readable by everyone. The goal is availability,
traceability, and collaboration, not necessarily universal
readability.

From a security standpoint, this is not merely about privacy
but about reducing risk. Repositories, even private ones,
may be exposed through misconfigurations, insider threats,
or breaches. If data is encrypted using tools like git-crypt,
then even if an unauthorized party gains access to the
repository, the sensitive content remains protected.

It is important to note that git-crypt only encrypts file
contents, it does not encrypt file names or commit metadata.

--
James Cherti
GitHub: https://github.com/jamescherti
Website: https://www.jamescherti.com/
This bug report was last modified 9 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.