Skip to content
Latchkey

git-crypt status: Check Which Files Are Encrypted

git-crypt status lists every file and whether git-crypt considers it encrypted, not encrypted, or misconfigured against .gitattributes.

Before trusting that a repo protects its secrets, git-crypt status shows the actual encryption state. In CI it is a cheap guard against a secret file that was never encrypted.

What it does

git-crypt status walks the repository and prints each file with its status: "encrypted", "not encrypted", or a warning when a file matches an encrypt filter but is stored as plaintext. It reads .gitattributes to know what should be encrypted.

Common usage

Terminal
git-crypt status
# list only files that are encrypted
git-crypt status -e
# list files that should be encrypted but are not
git-crypt status -u

Options

FlagWhat it does
-eShow only files that are encrypted
-uShow only files that are not encrypted
-fFix filters / re-stage (use with care)

In CI

Run git-crypt status -u (or grep the status output for "not encrypted" on paths that should be secret) as a pre-merge check so a secret that slipped past the filter fails the build instead of leaking. It needs no key, so it can run before unlock.

Common errors in CI

A file listed as "not encrypted" that should be secret means the .gitattributes filter did not match when it was committed; the plaintext is now in history and the secret must be rotated. "git-crypt: error: Not in a git repository" means the check ran outside the repo root.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →