Repository files navigation

git-caesar — Command-line tool for encrypting and decrypting files using public key cryptography

git-caesar [OPTIONS]

git-caesar is a command-line tool that encrypts and decrypts files using public keys registered on GitHub, GitLab, or local SSH key files.Encryption uses the recipient's public key. Decryption uses your private key.

• -h,--help

  • Show help and exit.

• -v,--version

  • Show version and exit.

• -u,--public=<target>

  • Specify recipient's public key. Required for encryption.If a GitHub username is provided, the key is fetched fromhttps://github.com/USER_NAME.keys.If the value starts withhttp: orhttps:, the key is fetched from the web.Otherwise, it is treated as a local file path.Used for signature verification in decryption.

• -k,--private=<id_file>

  • Specify your SSH private key file.If omitted, the tool searches~/.ssh/id_ecdsa,~/.ssh/id_ed25519,~/.ssh/id_rsa in that order.

• -i,--input=<input_file>

  • Path to input file.For encryption, this is the plaintext file.For decryption, this is the encrypted file.Defaults to stdin.

• -o,--output=<output_file>

  • Path to output file.Defaults to stdout.

• -d,--decrypt

  • Decrypt mode. If not specified, encrypt mode is used.

• -F,--format-version=<version>

  • Format version of the encrypted file.Versions1,2 and3 are valid. Version1 and2 is deprecated.Default:3.

• Encryptsecret.txt for GitHub useroctocat and save assecret.zip:

  git-caesar -u octocat -i secret.txt -o secret.zip

• Encrypt using a specific private key (~/.ssh/id_secret):

  git-caesar -u octocat -i secret.txt -o secret.zip -k~/.ssh/id_secret

• Decrypt a file for GitLab usertanuki and save it assecret.txt:

  git-caesar -d -u https://gitlab.com/tanuki.keys -i secret.zip -o secret.txt

• Decrypt a file without signature verification:

  git-caesar -d -i secret.zip -o secret.txt

Requires Go 1.24.0 or higher

See below for how to install/upgrade.

go install github.com/yoshi389111/git-caesar@latest

See below for how to uninstall.

go clean -i github.com/yoshi389111/git-caesar

See below for how to install/upgrade.

brew install yoshi389111/apps/git-caesar

See below for how to uninstall.

brew uninstall yoshi389111/apps/git-caesar

Download the file that matches your operating environment from "Releases."

• ssh-rsa (key length 1024 bits or more)
• ecdsa-sha2-nistp256
• ecdsa-sha2-nistp384
• ecdsa-sha2-nistp521
• ssh-ed25519

Unsupported:

• ssh-dss (DSA)
• ssh-rsa (key length less than 1024 bits)
• sk-ecdsa-sha2-nistp256@openssh.com
• sk-ssh-ed25519@openssh.com

• supported since v0.0.10

In this tool, the ECDSA and ED25519 signing public keys are reused for key exchange (ECDH / X25519).

• Using the signing public key for key exchange does not directly leak the recipient’s signing private key during the key exchange itself, because the private key is not transmitted or revealed in the protocol.
• The sender’s signing private key is also not leaked, as an ephemeral key for key exchange is used for each session on the sender’s side, and the sender's signing key is used only for signing.

However, this practice has the following potential security risks:

• If the signing private key is compromised, all past key exchanges using that key can be broken retroactively (forward secrecy is lost).
• Increased use of the signing private key raises the risk of side-channel attacks.

• Passwordless encryption with public key for GitHub (dev.to) — English article about this tool
• GitHub 用の公開鍵でパスワードレスの暗号化/復号をしてみる (Qiita) — Japanese article about this tool

© 2023 SATO, Yoshiyuki. MIT Licensed.