Back to Home

Secure Obsidian Sync: Git and Encryption

Detailed guide to setting up secure note sync in Obsidian using Git and the git-crypt tool for end-to-end encryption. The article covers creating a GPG key, initializing the repository, integrating with the Obsidian Git plugin, setting up pre-commit hooks, and backup methods.

How to Sync Obsidian with Encryption: Complete Guide
Advertisement 728x90

Secure Obsidian Sync with Git and End-to-End Encryption

Syncing Obsidian notes across devices while keeping your data private is straightforward using Git and the git-crypt tool for transparent encryption. This method gives you complete control over your notes, ditching reliance on proprietary cloud services.

Setting Up Your Environment and Creating a GPG Key

Start by installing the required software. On Arch Linux, run sudo pacman -S gnupg git-crypt; on Debian/Ubuntu, use sudo apt install gnupg git-crypt. Next, secure your GPG directory permissions:

chmod 700 ~/.gnupg
find ~/.gnupg -type f -exec chmod 600 {} \;
find ~/.gnupg -type d -exec chmod 700 {} \;

Generate an asymmetric key with gpg --full-generate-key. During setup, choose:

Google AdInline article slot
  • Key type: RSA (option 1).
  • Size: 4096 bits.
  • Expiration: 0 (no expiry).
  • ID details: your name and email.
  • Passphrase: required for each repo unlock.

For convenience, cache the passphrase for 24 hours by adding default-cache-ttl 86400 and max-cache-ttl 86400 to ~/.gnupg/gpg-agent.conf, then run gpgconf --reload gpg-agent.

Initializing the Repository with git-crypt

Navigate to your notes folder and init a Git repo: cd ~/notes && git init. Set up encryption with git-crypt init, then add your GPG key as trusted: git-crypt add-gpg-user --trusted [email protected].

Configure .gitignore and .gitattributes properly. In .gitignore, exclude Obsidian temp and system files:

Google AdInline article slot
.obsidian/workspace.json
.obsidian/workspace-mobile.json
.obsidian/cache
.trash/

In .gitattributes, specify files for git-crypt encryption:

.gitattributes !filter !diff
.gitignore !filter !diff

*.md     filter=git-crypt diff=git-crypt
*.canvas filter=git-crypt diff=git-crypt
*.png    filter=git-crypt diff=git-crypt
*.jpg    filter=git-crypt diff=git-crypt
*.jpeg   filter=git-crypt diff=git-crypt
*.pdf    filter=git-crypt diff=git-crypt

Commit order matters: first .gitattributes, then everything else to avoid pushing unencrypted data.

git add .gitattributes
git commit -m "$(date '+%Y-%m-%d %H:%M')"
git add .
git commit -m "$(date '+%Y-%m-%d %H:%M')"

Check encryption status with git-crypt status | grep WARNING. Set up your remote repo and push.

Google AdInline article slot

Integrating with Obsidian and Automating

Install the Obsidian Git plugin (by Vinzent) via Obsidian settings for Git operations like pull, commit, and push from the UI or on a schedule. Key rule: always unlock the repo with git-crypt unlock in the terminal before launching Obsidian. Otherwise, you'll see binary gibberish instead of note text, and the plugin might push bad commits.

Boost security with a pre-commit hook to block unencrypted files. Create an executable .githooks/pre-commit:

#!/bin/bash
for file in $(git diff --cached --name-only); do
    if git check-attr filter "$file" | grep -q "git-crypt"; then
        string=$(git show ":$file" 2>/dev/null | head -c 9)
        if [ "$string" != $'\x00GITCRYPT' ]; then
            echo "file '$file' is not encrypted. Be careful!"
            exit 1
        fi
    fi
done
exit 0

Tell Git to use it: git config core.hooksPath .githooks.

Migration and Backups

To move to a new device, export your secret GPG key: gpg --export-secret-keys --armor [email protected] > ~/key.asc. Transfer securely (e.g., via scp), import with gpg --import, clone the repo, and run git-crypt unlock. Delete the key file from both devices afterward. Back up your GPG key in a secure spot like a password manager—without it and the passphrase, your notes are inaccessible.

Alternative: Symmetric Encryption

If GPG feels overkill, use git-crypt's symmetric keys. Export with git-crypt export-key ~/key.bin, then convert to base64 for storage: base64 -i ~/key.bin. Store the string in your password manager. On another device, decode and unlock: echo "base64 string" | base64 -d > key.bin && git-crypt unlock key.bin. Note: this is less secure—no extra passphrase protects the key, so compromise means data exposure.

Key Benefits

  • Full data control: Notes stay in your Git repo with AES-256 end-to-end encryption.
  • Seamless workflow: Encryption/decryption is automatic via Git filters—you edit plain Markdown files.
  • Cross-platform: Works on Linux, macOS, and Windows (via WSL or native Git).
  • Automated sync: Obsidian Git plugin handles scheduled commits and pushes.
  • Extra safeguards: Pre-commit hook stops accidental pushes of unencrypted files.

— Editorial Team

Advertisement 728x90

Read Next