git_sshripped_encryption

Deterministic file encryption and decryption for git-sshripped.

Overview

This crate implements the core cryptographic operations that keep files encrypted at rest in a Git repository. It uses AES-256-SIV for deterministic authenticated encryption, deriving a per-file key from the repository key via HKDF-SHA256. The file path is bound as authenticated associated data (AAD), so a ciphertext only decrypts under the correct path.

Determinism is essential: the same key, path, and plaintext always produce the same ciphertext, which allows Git to detect unchanged files and produce meaningful diffs.

Key Functions

• is_encrypted(content) -- checks for the GSC1 magic prefix.
• encrypt(algorithm, repo_key, path, plaintext) -- encrypts plaintext, prepending the six-byte header. No-ops if the content is already encrypted.
• decrypt(repo_key, path, encrypted) -- parses the header and decrypts.

Feature Flags

• crypto-aes-siv (default) -- enables the AES-SIV backend. Without this feature, encrypt/decrypt return an UnsupportedAlgorithm error.

Usage

Part of the git-sshripped workspace. This crate is not intended for standalone use.