Secure Obsidian Sync with Git and End-to-End Encryption
Syncing Obsidian notes across devices while keeping your data private is straightforward using Git and the git-crypt tool for transparent encryption. This method gives you complete control over your notes, ditching reliance on proprietary cloud services.
Setting Up Your Environment and Creating a GPG Key
Start by installing the required software. On Arch Linux, run sudo pacman -S gnupg git-crypt; on Debian/Ubuntu, use sudo apt install gnupg git-crypt. Next, secure your GPG directory permissions:
chmod 700 ~/.gnupg
find ~/.gnupg -type f -exec chmod 600 {} \;
find ~/.gnupg -type d -exec chmod 700 {} \;
Generate an asymmetric key with gpg --full-generate-key. During setup, choose:
- Key type: RSA (option 1).
- Size: 4096 bits.
- Expiration: 0 (no expiry).
- ID details: your name and email.
- Passphrase: required for each repo unlock.
For convenience, cache the passphrase for 24 hours by adding default-cache-ttl 86400 and max-cache-ttl 86400 to ~/.gnupg/gpg-agent.conf, then run gpgconf --reload gpg-agent.
Initializing the Repository with git-crypt
Navigate to your notes folder and init a Git repo: cd ~/notes && git init. Set up encryption with git-crypt init, then add your GPG key as trusted: git-crypt add-gpg-user --trusted [email protected].
Configure .gitignore and .gitattributes properly. In .gitignore, exclude Obsidian temp and system files:
.obsidian/workspace.json
.obsidian/workspace-mobile.json
.obsidian/cache
.trash/
In .gitattributes, specify files for git-crypt encryption:
.gitattributes !filter !diff
.gitignore !filter !diff
*.md filter=git-crypt diff=git-crypt
*.canvas filter=git-crypt diff=git-crypt
*.png filter=git-crypt diff=git-crypt
*.jpg filter=git-crypt diff=git-crypt
*.jpeg filter=git-crypt diff=git-crypt
*.pdf filter=git-crypt diff=git-crypt
Commit order matters: first .gitattributes, then everything else to avoid pushing unencrypted data.
git add .gitattributes
git commit -m "$(date '+%Y-%m-%d %H:%M')"
git add .
git commit -m "$(date '+%Y-%m-%d %H:%M')"
Check encryption status with git-crypt status | grep WARNING. Set up your remote repo and push.
Integrating with Obsidian and Automating
Install the Obsidian Git plugin (by Vinzent) via Obsidian settings for Git operations like pull, commit, and push from the UI or on a schedule. Key rule: always unlock the repo with git-crypt unlock in the terminal before launching Obsidian. Otherwise, you'll see binary gibberish instead of note text, and the plugin might push bad commits.
Boost security with a pre-commit hook to block unencrypted files. Create an executable .githooks/pre-commit:
#!/bin/bash
for file in $(git diff --cached --name-only); do
if git check-attr filter "$file" | grep -q "git-crypt"; then
string=$(git show ":$file" 2>/dev/null | head -c 9)
if [ "$string" != $'\x00GITCRYPT' ]; then
echo "file '$file' is not encrypted. Be careful!"
exit 1
fi
fi
done
exit 0
Tell Git to use it: git config core.hooksPath .githooks.
Migration and Backups
To move to a new device, export your secret GPG key: gpg --export-secret-keys --armor [email protected] > ~/key.asc. Transfer securely (e.g., via scp), import with gpg --import, clone the repo, and run git-crypt unlock. Delete the key file from both devices afterward. Back up your GPG key in a secure spot like a password manager—without it and the passphrase, your notes are inaccessible.
Alternative: Symmetric Encryption
If GPG feels overkill, use git-crypt's symmetric keys. Export with git-crypt export-key ~/key.bin, then convert to base64 for storage: base64 -i ~/key.bin. Store the string in your password manager. On another device, decode and unlock: echo "base64 string" | base64 -d > key.bin && git-crypt unlock key.bin. Note: this is less secure—no extra passphrase protects the key, so compromise means data exposure.
Key Benefits
- Full data control: Notes stay in your Git repo with AES-256 end-to-end encryption.
- Seamless workflow: Encryption/decryption is automatic via Git filters—you edit plain Markdown files.
- Cross-platform: Works on Linux, macOS, and Windows (via WSL or native Git).
- Automated sync: Obsidian Git plugin handles scheduled commits and pushes.
- Extra safeguards: Pre-commit hook stops accidental pushes of unencrypted files.
— Editorial Team
No comments yet.