Automate Git-crypt Unlock

[MichaelSmyth0184]

Hi, I have been looking for ways to automate the process of unlocking encrypted files during the deployment process on Windows Hosts. I can do it manually, but ofcourse a password prompt is required. Any suggestions on how to automate this process?

Thanks,

Michael S

[alerque]

This issue has nothing to do with git-crypt, you need to look into how your GPG tools work. I'm not on Windows so I don't know what your process will be, but you probably need an agent of some kind and some way to pass credentials to it to get it started. Unlocking your GPG key and having an agent around so that it can be run without prompting for a password is unrelated to git crypt itself which is only built on top of other tools.

[nirvdrum]

I think it'd be helpful if the decryption process was configurable. Having a hard-coded command makes it hard to decrypt in an environment where you don't have a TTY. Yes, the agent could unlock the key outside, but when running in something like Ansible, you'll need to have a long TTL on the agent because you need to do the unlock and make sure it's alive throughout the whole provisioning process. A long TTL isn't a trade-off I want to make. Alternatively, you could change the pinentry mode to loopback in the GPG config, but that messes up all other usages of gpg.

I'd like to have something like GIT_CRYPT_DECRYPT_GPG_FLAGS to set additional flags in gpg_decrypt_from_file. In my case, that'd probably be --pintentry-mode=loopback --passphrase-fd <fd>.

[ambroisie]

I would also like such a feature. I am willing to make a PR if there's no opposition to such it.

[pascalandy]

I would like this as well. I want to automate this on my servers. Cheers!