Skip to content
Latchkey

git-crypt unlock: Decrypt Repo Secrets in CI

git-crypt unlock decrypts the transparently-encrypted files in a working tree using either your GPG key or an exported symmetric key file.

git-crypt encrypts selected files in a repo so they are ciphertext at rest but plaintext in your checkout. In CI you unlock with an exported symmetric key file so no interactive GPG is needed.

What it does

git-crypt unlock decrypts the files matched by .gitattributes filters and leaves the working tree with plaintext. It can use a GPG key already in your keyring or a symmetric key exported earlier with git-crypt export-key.

Common usage

Terminal
# preferred in CI: unlock with an exported symmetric key
git-crypt unlock /path/to/git-crypt-key
# unlock with your GPG key (needs the private key imported)
git-crypt unlock

Options

ArgumentWhat it does
<keyfile>Path to a symmetric key exported with git-crypt export-key
(no argument)Unlock using a GPG key present in the keyring

In CI

Export the symmetric key once locally with git-crypt export-key, store the bytes as a base64 CI secret, decode it to a file at job start, and run git-crypt unlock <keyfile>. This avoids importing GPG keys on the runner entirely. Delete the key file after unlocking.

Common errors in CI

"GPG error" or "gpg: decryption failed: No secret key" means unlock tried GPG but the private key is not in the runner keyring; use the key-file form instead. "git-crypt: error: this repository has already been unlocked" is harmless. "not a valid git-crypt key file" means the decoded secret is corrupt or double-encoded.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →