Protect Your Sensitive Files in Git Repos: A Guide to Git Filters and age

To paraphrase its Microsoft GitHub's description : “[Age is] a simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.”

Basically it's a good, easy and composable tool which only requires SSH keys to work which makes it quite easy because we usually have some lying around. And it's also easier to use than GnuPG which is also nice.

Git filters are a feature of git which allows us to pass data through a program before it hits the git blob storage of before it's saved to disk and back.

The smudge filter is applied when a repository or commit is checked out. It converts the data from the storage format (i.e the raw blobs) to the presentation format (i.e the files as they appear on disk).

The programs are quite simple : they get fed the file input on stdin and the file name as first argument and they output the converted (or not) file on stdout.

[filter "age"]
    clean = "clean-script.sh"
    smudge = "smudge-script.sh"
    required

*.tfstate filter=age
*.secrets.tfvars filter=age

#!/usr/bin/env bash

# Read input from stdin
f=$(mktemp)
cat /dev/stdin > $f

# Check if the input starts with the AGE encrypted file header
if [[ "$(cat "$f" | head -n 1)" == "-----BEGIN AGE ENCRYPTED FILE-----" ]]; then
  cat "$f" | age -i /tmp/something -d -
fi
rm "$f"

#!/usr/bin/env bash

clean is the following
# Read input from stdin
f=$(mktemp)
cat /dev/stdin > $f

# Check if the input does not start with the AGE encrypted file header
if [[ "$(cat "$f" | head -n 1)" != "-----BEGIN AGE ENCRYPTED FILE-----" ]]; then
  cat "$f" | age -i /tmp/something -a -e - -o -
fi
rm "$f"