git-secret

git-secret adds GPG-backed encryption to a normal Git repo so teams can keep encrypted secret files in version control and reveal them only for authorized keys. It centers on tracked files, repo-local keyring metadata, and simple subcommands for hiding, revealing, sharing, and auditing secrets.

• Track specific files as secrets, encrypt them into .secret blobs, and commit the encrypted versions alongside the rest of the repository.
• Add or remove collaborators' GPG keys, list who can decrypt the repo, and re-encrypt files when access changes.
• Reveal secrets into the working tree, print decrypted contents to stdout, or diff current plaintext against encrypted versions during review or CI.

• The command set maps cleanly to inspect/change/verify loops: list and whoknows inspect, tell and removeperson change access, and changes verifies drift.
• Automation is workable because reveal, cat, and changes accept a passphrase and custom GPG home, but output stays plain text and diffs rather than structured JSON.
• Best for repositories that intentionally keep encrypted config in Git; less useful when secrets already live in a dedicated secret manager.

• Every machine or CI runner that decrypts secrets needs compatible GPG keys and keyring setup.
• Adding or removing recipients does not retroactively update existing encrypted files; someone with access still has to re-encrypt them.