This guide shows how to securely manage git-crypt keys using Bitwarden by converting binary keys to Base64 text.

Export and Encode the Key

Export your git-crypt key and convert it to Base64:

1
2
3
4
5

# Export the key
git-crypt export-key infra-secrets-git-crypt-key

# Encode to Base64
base64 -i infra-secrets-git-crypt-key -o infra-secrets-git-crypt-key.b64

Store in Bitwarden

View and copy the Base64 content:

1

cat infra-secrets-git-crypt-key.b64

In Bitwarden, create a Secure Note named “git-crypt key” and paste the content.

Retrieve and Unlock

Use Bitwarden CLI to retrieve, decode, and unlock:

1
2
3
4
5

# Download and decode the key
bw get notes "git-crypt key" | base64 --decode > infra-secrets-git-crypt-key

# Unlock the repository
git-crypt unlock infra-secrets-git-crypt-key

CI/CD Integration

For automated workflows, use the same commands in your pipeline:

1
2

bw get notes "git-crypt key" | base64 --decode > infra-secrets-git-crypt-key
git-crypt unlock infra-secrets-git-crypt-key

Best Practices

• Add *-git-crypt-key and *.b64 to .gitignore
• Never commit decoded key files
• Rotate keys periodically
• Limit Bitwarden access to authorized team members only