diff options
Diffstat (limited to 'doc/tips/fully_encrypted_git_repositories_with_gcrypt.mdwn')
-rw-r--r-- | doc/tips/fully_encrypted_git_repositories_with_gcrypt.mdwn | 127 |
1 files changed, 127 insertions, 0 deletions
diff --git a/doc/tips/fully_encrypted_git_repositories_with_gcrypt.mdwn b/doc/tips/fully_encrypted_git_repositories_with_gcrypt.mdwn new file mode 100644 index 000000000..5934747f0 --- /dev/null +++ b/doc/tips/fully_encrypted_git_repositories_with_gcrypt.mdwn @@ -0,0 +1,127 @@ +[git-remote-gcrypt](https://github.com/joeyh/git-remote-gcrypt/) +adds support for encrypted remotes to git. The git-annex +[[gcrypt special remote|special_remotes/gcrypt]] allows git-annex to +also store its files in such repositories. Naturally, git-annex encrypts +the files it stores too, so everything stored on the remote is encrypted. + +Here are some ways you can use this awesome stuff.. + +[[!toc ]] + +This page will show how to set it up at the command line, but the git-annex +[[assistant]] can also be used to help you set up encrypted git +repositories. + +## prerequisites + +* Install +[git-remote-gcrypt](https://github.com/joeyh/git-remote-gcrypt/) +* Install git-annex version 4.20130909 or newer. + +## encrypted backup drive + +Let's make a USB drive into an encrypted backup repository. It will contain +both the full contents of your git repository, and all the files you +instruct git-annex to store on it, and everything will be encrypted so that +only you can see it. + +First, you need to set up a gpg key. You might consider generating a +special purpose key just for this use case, since you may end up wanting to +put the key on multiple machines that you would not trust with your +main gpg key. + +You need to tell git-annex the keyid of the key when setting up the +encrypted repository: + + git init --bare /mnt/encryptedbackup + git annex initremote encryptedbackup type=gcrypt gitrepo=/mnt/encryptedbackup keyid=$mykey + git annex sync encryptedbackup + +Now you can copy (or even move) files to the repository. After +sending files to it, you'll probably want to do a sync, which pushes +the git repository changes to it as well. + + git annex copy --to encryptedbackup ... + git annex sync encryptedbackup + +Note that if you lose your gpg key, it will be *impossible* to get the +data out of your encrypted backup. You need to find a secure way to store a +backup of your gpg key. Printing it out and storing it in a safe deposit box, +for example. + +You can actually specifiy keyid= as many times as you like to allow any one +of a set of gpg keys to access this repository. So you could add a friend's +key, or another gpg key you have. + +To restore from the backup, just plug the drive into any machine that has +the gpg key used to encrypt it, and then: + + git clone gcrypt::/mnt/encryptedbackup restored + cd restored + git annex enableremote encryptedbackup gitrepo=/mnt/encryptedbackup + git annex get --from encryptedbackup + +## encrypted git-annex repository on a ssh server + +If you have a ssh server that has rsync installed, you can set up an +encrypted repository there. Works just like the encrypted drive except +without the cable. + +First, on the server, run: + + git init --bare encryptedrepo + +(Also, install git-annex on the server if it's possible & easy to do so. +While this will work without git-annex being installed on the server, it +is recommended to have it installed.) + +Now, in your existing git-annex repository, set up the encrypted remote: + + git annex initremote encryptedrepo type=gcrypt gitrepo=ssh://my.server/home/me/encryptedrepo keyid=$mykey + git annex sync encryptedrepo + +If you're going to be sharing this repository with others, be sure to also +include their keyids, by specifying keyid= repeatedly. + +Now you can copy (or even move) files to the repository. After +sending files to it, you'll probably want to do a sync, which pushes +the git repository changes to it as well. + + git annex copy --to encryptedrepo ... + git annex sync encryptedbackup + +Anyone who has access to the repo it and has one of the keys +used to encrypt it can check it out: + + git clone gcrypt::ssh://my.server/home/me/encryptedrepo myrepo + cd myrepo + git annex enableremote encryptedrepo gitrepo=ssh://my.server/home/me/encryptedrepo + git annex get --from encryptedrepo + +## private encrypted git remote on hosting site + +You can use gcrypt to store your git repository in encrypted form on any +hosting site that supports git. Only you can decrypt its contents. +Using it this way, git-annex does not store large files on the hosting site; it's +only used to store your git repository itself. + + git remote add encrypted gcrypt::ssh://hostingsite/myrepo.git + git push encrypted master git-annex + +Now you can carry on using git-annex with your new repository. For example, +`git annex sync` will sync with it. + +To check out the repository from the hosting site, use the same gcrypt:: +url you used when setting it up: + + git clone gcrypt::ssh://hostingsite/myrepo.git + +## multiuser encrypted git remote on hosting site + +Suppose two users want to share an encrypted git remote. Both of you +need to set up the remote, and configure gcrypt to encrypt it so that both +of you can see it. + + git remote add sharedencrypted gcrypt::ssh://hostingsite/myrepo.git + git config remote.sharedencrypted.gcryt-participants "$mykey $friendkey" + git config git push sharedencrypted master git-annex |