How would you encrypt an existing repository with git-crypt?

[omduggineni]

Is there a way to rewrite history using git-filter-branch, git-filter-repo, or git rebases? How would you keep commit dates/etc?

[alerque]

All three of those ways would work, but depending on your repository layout and history the easiest might be just to rebase. Branch from before the first commit that had private content than needed encryption. Add a new commit to the branch that sets the attributes, then add the encrypted file. Then rebase your original branch onto the new one, dropping or editing the commit that added the unencrypted version. If your history includes changes to the encrypted data along the way you'll want to make sure and inspect those with a break in the rebase after them to make sure they still show encrypted properly.

Other approaches will work too, including using one of the filter options to remove the offending data files, then adding it back encrypted either at the end or whenever you like back in history with a rebase.

Keep in mind that any technique you use is going to leave a lot of cruft in the Git repo history (see e.g. git reflog) and data store that you don't want to be there. You'll need to get super aggressive with the git gc options to scrub all the unencrypted object files even from now unreachable branches.

[omduggineni]

Thanks!

[bjnord]

My .gitattributes wasn't quite set up correctly, and I accidentally committed and pushed a few files as unencrypted. After I fixed .gitattributes (and confirmed with git check-attr), I found the following on StackExchange which will force a new commit to encrypt them properly:

$ git rm --cached private/*.txt
$ git add private/*.txt
$ git commit

(As noted in the above answer, this will leave the unencrypted text still in the repo, so it isn't a complete solution for things like security tokens.)