Remove file from repository and from all revisions [updated]

Say, that you have commited to a Git repository, a file, that contains sensitive or confidential information. You want to literally purge it from the repository history.

Simple git rm --cached <file> won’t do the trick. It will remove a file from the repository (keeping it in your working directory), but it will still keep the file in history. What now?

There’s a Stack Overflow answer, that cites gitready.com’s blog post from March 2009. Since the entire idea is expressed in short, but beautiful words, let me cite it as well:

If you actually want to remove a file from history, git filter-branch is the hacksaw you’re looking for. Definitely read up on its manpage before using it, since it will literally rewrite your project’s commits. (…) The command to remove a file from all revisions is:

git filter-branch --index-filter 'git rm --cached <file>' HEAD

This action can definitely be useful, when you need to blow out sensitive or confidential information, that may have been placed in your repository (or its history — my addition).

The great question to be asked next is, whether you have only committed sensitive file or you have pushed your changes to remote after that? In second option you may be screwed as you don’t have (and you probably won’t ever have) 100% certainty that someone hasn’t pulled changes containing your sensitive file do its own local git copy and browsed the file before you purged it out of repo and out of history.

That’s why most people consider committed and pushed sensitive file as security breach and claims that in this case such file becomes public, no matter what.

Update: This may be interesting: “Completely remove file from local and remote (GitHub) repository“.

Leave a Reply