[xe4l]

I evaluated git-crypt for a previous venture and ended up using gitolite hooks instead. The setup I built stored users PGP Key ID, associated the Key ID with their gitolite account and used hooks to encrypt content for users with permission to the repo. A system account was created with a corresponding keypair to handle user add/mod/del by decrypting and re-encrypting content for the appropriate users in a given repo.

The beauty of this setup was, it was all over SSH and all keys used to access, sign and encrypt content (included the system user) were stored on smart cards.

If security is important, it's wise to take steps that align with or exceed your risk appetite.