git-agecrypt 命令

常用示例

说明

git-agecrypt is a Git integration that keeps secrets in a repository encrypted at rest while exposing plaintext to the working tree. It is an alternative to git-crypt, swapping GPG for age, with smaller key material and support for SSH keys and age plugin stubs (for example age-plugin-yubikey). After git-agecrypt init, the repository's _.git/config_ contains clean, smudge, and textconv filter entries pointing at the binary. Every file matched by a path pattern in _.gitattributes_ (typically filter=agecrypt diff=agecrypt) is encrypted on its way into the object store and decrypted on its way out. Recipients and per-path scoping live in a committed _git-agecrypt.toml_, while local private identities live in _.git/config_ so they never leave the developer's machine. Because age encryption is non-deterministic, git-agecrypt records a BLAKE3 hash of each plaintext under _.git/git-agecrypt/_; if the plaintext has not changed, the previously stored ciphertext is reused so commits do not produce noisy churn.

参数

init

Install the clean, smudge, and textconv filters into _.git/config_ so encryption / decryption happen automatically on commit and checkout.

deinit

Remove the filter integration from the current repository. Tracked encrypted blobs are unaffected.

config add -r _recipient_ -p _path..._

Register an age _recipient_ (public key) that should be able to decrypt the listed _paths_. Repeat to grant access to multiple keys. SSH ed25519 public keys and age age1... keys are both accepted.

config add -i _identity_

Register an age _identity_ (private key file) used by the local checkout to decrypt files. Stored in .git/config, never committed.

config remove -r _recipient_ -p _path..._

Revoke a recipient, optionally limited to specific paths.

config remove -i _identity_

Forget a local identity.

config list

Print the configured recipients (per-path) and registered local identities.

status

Report which tracked paths are configured for encryption and whether the working copy matches the encrypted blob.

clean

Internal filter entry point: read plaintext from stdin and write ciphertext to stdout. Invoked by Git via the filter.agecrypt.clean hook.

smudge

Internal filter entry point: read ciphertext from stdin and write plaintext to stdout. Invoked by Git on checkout.

textconv _file_

Internal helper used by git diff to render encrypted blobs as plaintext for diffing without leaking ciphertext into the working copy.

-v, --verbose

Increase logging verbosity.

--help

Print help for the chosen subcommand.

--version

Print version and exit.