Obsidian Notes with git-crypt 🔐

Reposting my github guide

Obsidian Vault, the best markdown note setup👾. Private key encrypted cross device synced notes 🤌(every pixel matches my laptop extensions, plugins, icons, themes, all of it 🌋)

💻 Laptop:
Obsidian, gpg, git-crypt, vault repo

📱Phone:
Obsidian, gpg, Termux, Termux Widget, sh scripts, git-crypt, vault repo

Instructions

Prerequisites

• git-crypt (install via brew install git-crypt)
• Obsidian app installed ( download)
• folder created for your Obsidian vault (i.e ~/ObsidianVault)

Initialize git repo and setup git-crypt

• initialize git repository (as you normally would)

$ cd YourVaultFolder
# delete existing git repo
# let's not expose cleartext history!
$ rm -fr .git/
$ git init

• initialize git-crypt

$ git-crypt init

• copy the generated secret key to ~/git-crypt-key (you will need this git-crypt-key to decrypt your vault on other devices so might wanna back it up 🤙)

git-crypt export-key ../git-crypt-key

Set up .gitignore and .gitattributes

Here is sample .gitignore, you may want to put the entire .obsidian directory into there, but I like keep my plugins/extensions/etc as well:

.obsidian/workspace
.obsidian/cache

Here is sample .gitattributes:

• i'm basically encrypting everything including my plugins */**, but this can be fined tuned later as you please (all markdown files, all obsidian canvas files, all other files)

*.md filter=git-crypt diff=git-crypt
*/** filter=git-crypt diff=git-crypt
*.canvas filter=git-crypt diff=git-crypt
BrainPad/** filter=git-crypt diff=git-crypt
BrainPad.md filter=git-crypt diff=git-crypt

(Optional for ZSH) Improve terminal performance

If you’re using oh-mz-zsh, the following two commands will prevent it from slowing down your command line (this will modify your vault repo's git config, not the global config):

$ git config --add oh-my-zsh.hide-status 1
$ git config --add oh-my-zsh.hide-dirty 1

• FYI - this results in your vault's .git/config to be updated with this...

[oh-my-zsh]
hide-status = 1
hide-dirty = 1

Verify and test YOUR .gitattributes

• run this command

git ls-files -z |xargs -0 git check-attr filter |grep unspecified

• you should only see non critical files like .gitattributes be reported as unspecified
• if any file is mentioned here that you want to be encrypted, tweak your .gitattributes further

Testing Encryption

• you should see all your encrypted files listed in the output (might take a while)

git-crypt status -e

Unlocking your Vault

To unlock your Vault's git repo, run this (using ../git-crypt-key backed up earlier):

git-crypt unlock ../git-crypt-key

Push your notes to Github

• create private empty repository on GitHub (follow the instructions about how to push an existing repository that come up upon creation) > replace YourGithubUsername/YourVaultRepo with your own

$ git remote add origin \
      git@github.com:YourGithubUsername/YourVaultRepo.git

$ git branch -M master   # ...
$ git push -u origin master

Note: From now on, you can add, commit, push from this repository, and git-crypt will transparently encrypt and de-crypt your files.

Locking Your Vault

• if you want, you can lock your vault once you are done (don't have to)

git-crypt lock

---

Obsidian

• install the Obsidian Git plugin
  • configure the plugin: Make sure, Disable push is deactivated.
  • do this on all your desktop/laptop machines

Now, every time you want to sync your changes, press ctrl+p and search for “Obsidian Git : commit …”

The plugin will automatically pull all remote changes when you start Obsidian.
If you leave it running for days, you might want to pull recent changes manually: ctrl+p and search for “Obsidian Git: Pull”.

---

Common Issues

Git related

• if you get errors on git push and it gets stuck on 100% but not finishing, considering increasing your httpBuffer in your global git config and retry (this may be the first time you are pushing something bigger, if you decided to backup your plugins/extensions etc like me)

git config --global http.postBuffer 524288000

Obsidian Git plugin (desktop)

If you are seeing git-crypt related errors in Obsidian on your desktop, it is most likely unable to find git-crypt in your path. Instead, tell your .git/config the explicit path to git-crypt executable (modify it manually):

[filter "git-crypt"]
        smudge = \"/opt/homebrew/bin/git-crypt\" smudge
        clean = \"/opt/homebrew/bin/git-crypt\" clean
        required = true
[diff "git-crypt"]
        textconv = \"/opt/homebrew/bin/git-crypt\" diff

If you get any gpg errors, add the path of your gpg executable to your global git config as well.

• first check the full path to the gpg installed

type gpg
gpg is /usr/local/bin/gpg

• then configure git to use that full path

git config --global gpg.program /usr/local/bin/gpg

• FYI - this results in your global .gitconfig to be updated with this...

[gpg]
program = /usr/local/bin/gpg

---

BONUS: Android Sync

Requirements

• install latest Termux from F-Droid
• install Termux Widget 0.13+

Setup your Termux for Git

• upgrade packages

pkg upgrade

• install required packages

pkg install git git-crypt

• make storage available in Termux (/storage/shared/*)

termux-setup-storage

• generate new SSH key (press enter for empty passphrase)

ssh-keygen -t ed25519 -C "your_email@example.com"

• add your new SSH key to your github account (see here)

Setup your vault in Termux

Vault repository setup

• clone the vault repository into Termux home (for now) > replace YourGithubUsername/YourVaultRepo with your own

git clone git@github.com:YourGithubUser/YourVaultRepo.git

• copy the git-crypt-key file into termux (you can zip it to git-crypt-key.zip and transfer to your device using your favorite method)
• unlock the vault repository (this might take a while)

# go inside
cd YourVaultRepo
# unlock your vault
git-crypt unlock ../git-crypt-key

• once unlock is finished, move this github vault repo to the shared folder; this is because Obsidian app needs to be able see it:

# go back home
cd
# move to your storage
mv YourVaultRepo storage/shared/

Android scripts setup (Termux):

To take this up a notch further, this gives us very handy commit and push and a pull shortcut that we can launch directly from the comfort of our homescreen

Clone the repository, then copy the pull.sh, push.sh, log.sh , repo.conf into your termux .shortcuts directory to be able to trigger them from homescreen widget.

• clone the repo containing .sh scripts and .conf file

git clone git@github.com:snazzybytes/obsidian-scripts.git

• copy all files from android folder to Termux's .shortcuts directory (needed to get Termux Widget working)

cp obsidian-scripts/android/* .shortcuts/

• update repo.conf file with your github vault repo name (this is used by the push/pull/log .sh scripts)

GH_REPO=YourVaultRepo

• make sure they are executable

# go inside and change permissions
cd obsidian-scripts
chmod +x pull.sh push.sh log.sh
# go back to home directory
cd

• drop Termux:Widget on your homescreen and you should now see the scripts from .shortcuts show up on the list

BOOM 🚀🔥! Now you can access your encrypted vault on android too and push encrypted changes to github. see here for demo

Scripts Documented (same as the repo ones)

per latest Termux Widget version 0.13+ all custom scripts in Termux .shortcuts directory need proper shebangs #!/data/data/com.termux/files/usr/bin/bash

pull.sh (allows to pull remote changes)

#!/data/data/com.termux/files/usr/bin/bash
source repo.conf
cd ~/storage/shared/$GH_REPO
git pull
cd ~
bash -c "read -t 3 -n 1"

push.sh (allows to commit and push note changes)

#!/data/data/com.termux/files/usr/bin/bash
source repo.conf
cd ~/storage/shared/$GH_REPO
git add .
git commit -m "android on $(date)"
git push
cd ~
bash -c "read -t 3 -n 1"

log.sh (allows you to check which version you are on with git log)

#!/data/data/com.termux/files/usr/bin/bash
source repo.conf
cd /data/data/com.termux/files/home/storage/shared/$GH_REPO
git log
cd ~
bash -c "read -t 5 -n 1"

Resources and references

• https://willricketts.com/obsidian-changed-everything-for-me/
• https://github.com/AGWA/git-crypt
• https://buddy.works/guides/git-crypt
• https://medium.com/@dianademco/writing-in-obsidian-a-comprehensive-guide-58a1306ed293
• https://renerocks.ai/blog/obsidian-encrypted-github-android/#checking-it-out-on-a-different-machine
• https://publish.obsidian.md/git-doc/Start+here
• https://github.com/denolehov/obsidian-git/issues/21

Comments

[Rohit Das]

What is the BrainPad folder in git attribute?

[SnazzyBytes]

That is just a random name of the sample notes folder (the top level root directory, for the Obsidian "vault"). Replace that with the name of your obsidian vault instead 🫡