GitBraints
  • Download
  • Contact
Sign InSign Up
GitBraints

Privacy-first Git-powered tools for individual designers and small teams who value data sovereignty. Own your data, control your workflow.

© Copyright 2026 GitBraints. All Rights Reserved.

About
  • Blog
  • Contact
Product
  • Documentation
Legal
  • Terms of Service
  • Privacy Policy
  • Cookie Policy
    Docs/gitlocker/GitLocker

    GitLocker

    Transparently protect your Git repository: Enterprise-grade AES-256-GCM strong encryption with pluggable key management.

    GitLocker is a security tool for transparent Git repository encryption.

    It seamlessly integrates with low-level Git mechanisms: using standard Git Clean/Smudge filters and Merge drivers, your code and data are automatically encrypted to AES-256-GCM ciphertext before leaving your device for Git remotes (such as GitHub, GitLab, or team-hosted Git servers). When checked out to the local working directory, they are automatically restored to plaintext, achieving a completely developer-transparent encryption and decryption experience.

    Core Design Features

    Zero-Knowledge Tamper-Resistant Architecture

    Uses standard AES-256-GCM authenticated encryption mode (AEAD). If any data or header information is detected as tampered with during network transmission or on the Git server, the GitLocker driver immediately triggers a Fail-closed lock to block decryption and exit the process, preventing illegal bit-flipping attacks.

    Pluggable Key Providers

    GitLocker does not bind to a single key manager. It supports two highly extensible Key Providers to meet different team compliance requirements:

    • Personal Key Provider: Keys are saved entirely in the local secure sandbox, suitable for independent developers or small teams.
    • Server Key Provider: Keys are hosted in a centralized Key Server, making it easy to dynamically revoke team permissions and perform security audits.

    Seamless Key Rotation

    Supports multiple generations of keys to coexist smoothly in the same repository. When a key rotation is initiated, newly committed code files are encrypted with the new master key; meanwhile, historical Git commits protected by the old master key can still be adaptively decrypted using the corresponding old key, eliminating the need to rewrite the entire Git history.

    Security Boundaries and Notices

    1. Git remotes (such as hosting platforms like GitHub) only serve as hosting carriers for encrypted ciphertext data. Your decryption master key will never be uploaded or leave your controlled boundary.
    2. Normal Git metadata (such as commit hash, commit time, author email, file size, and modification history directory) can still be read by the Git platform. This preserves all the natural collaborative advantages of Git while ensuring code security and privacy.
    3. Please keep your master key backup credentials or Key Server access rights safe.

    Next Steps

    • Quick Start
    ≡On this page
    1. Core Design Features
      1. Zero-Knowledge Tamper-Resistant Architecture
      2. Pluggable Key Providers
      3. Seamless Key Rotation
      4. Security Boundaries and Notices
      5. Next Steps