git-remote-gcrypt adds support for encrypted remotes to git. The git-annex gcrypt special remote allows git-annex to also store its files in such repositories. Naturally, git-annex encrypts the files it stores too, so everything stored on the remote is encrypted.

See fully encrypted git repositories with gcrypt for some examples of using gcrypt.


These parameters can be passed to git annex initremote to configure gcrypt:

  • encryption - One of "none", "hybrid", "shared", or "pubkey". Required. See encryption.

  • keyid - Specifies the gpg key to use for encryption of both the files git-annex stores in the repository, as well as to encrypt the git repository itself. May be repeated when multiple participants should have access to the repository.

  • gitrepo - Required. The path or url to the git repository for gcrypt to use. This repository should be either empty, or an existing gcrypt repositry.

  • chunk - Enables chunking when storing large files.

  • shellescape - See rsync for the details of this option.


For git-annex to store files in a repository on a remote server, you need shell access, and rsync must be installed. Those are the minimum requirements, but it's also recommended to install git-annex on the remote server, so that git-annex-shell can be used.

While you can use git-remote-gcrypt with servers like github, git-annex can't store files on them. In such a case, you can just use git-remote-gcrypt directly.

If you use encryption=hybrid, you can add more gpg keys that can access the files git-annex stored in the gcrypt repository. However, due to the way git-remote-gcrypt encrypts the git repository, you will need to somehow force it to re-push everything again, so that the encrypted repository can be decrypted by the added keys. Probably this can be done by setting GCRYPT_FULL_REPACK and doing a forced push of branches.

Recent versions of git-annex configure remote.<name>gcrypt-publish-participants` when setting up a gcrypt repository. This is done to avoid unncessary gpg passphrase prompts, but it does publish the gpg keyids that can decrypt the repository. Unset it if you need to obscure that.