diff options
Diffstat (limited to 'doc')
-rw-r--r-- | doc/encryption.mdwn | 29 | ||||
-rw-r--r-- | doc/todo/feature_request__58___pubkey-only_encryption_mode.mdwn | 2 |
2 files changed, 25 insertions, 6 deletions
diff --git a/doc/encryption.mdwn b/doc/encryption.mdwn index bf6a9a229..311511510 100644 --- a/doc/encryption.mdwn +++ b/doc/encryption.mdwn @@ -23,8 +23,9 @@ to disable encryption. To use encryption, you run * `git annex initremote newremote type=... encryption=hybrid keyid=KEYID ...` * `git annex initremote newremote type=... encryption=shared` * `git annex initremote newremote type=... encryption=pubkey keyid=KEYID ...` +* `git annex initremote newremote type=... encryption=sharedpubkey keyid=KEYID ...`` -## hybrid encryption keys +## hybrid encryption keys (encryption=hybrid) The [[hybrid_key_design|design/encryption]] allows additional encryption keys to be added on to a special remote later. Due to this @@ -53,7 +54,7 @@ probably to replace a revoked key: See also [[encryption_design|design/encryption]] for other security risks associated with encryption. -## shared encryption key +## shared encryption key (encryption=shared) Alternatively, you can configure git-annex to use a shared cipher to encrypt data stored in a remote. This shared cipher is stored, @@ -66,7 +67,7 @@ The advantage is you don't need to set up gpg keys. The disadvantage is that this is **insecure** unless you trust every clone of the git repository with access to the encrypted data stored in the special remote. -## regular public key encryption +## regular public key encryption (encryption=pubkey) This alternative simply encrypts the files in the special remotes to one or more public keys. It might be considered more secure due to its simplicity @@ -88,9 +89,25 @@ key has to be kept around to be able to decrypt those files. that the key has been compromised, it is **insecure** to leave files encrypted using that old key, and the user should re-encrypt everything.) -(Because filenames are MAC'ed, a cipher still needs to be -generated (and encrypted to the given key IDs). It is only used for MHAC -encryption of filenames.) +(A cipher still needs to be generated (and is encrypted to the given key IDs). +It is only used for HMAC encryption of filenames.) + +## regular public key encryption with shared filename encryption (encryption=sharedpubkey) + +This is a variation on encryption=pubkey which lets anyone who +has access to the gpg public keys store files in the special remote. +But, only owners of the corresponding private keys can retrieve the files +from the special remote. + + git annex initremote newremote type=... [encryption=hybrid] keyid=KEYID ... + +This might be useful if you want to let others drop off files for you in a +special remote, so that only you can access them. + +The filenames used on the special remote are encrypted using HMAC, +which prevents the special remote from seeing the filenames. But, anyone +who can clone the git repository can access the HMAC cipher; it's stored +**unencrypted** in the git repository. ## MAC algorithm diff --git a/doc/todo/feature_request__58___pubkey-only_encryption_mode.mdwn b/doc/todo/feature_request__58___pubkey-only_encryption_mode.mdwn index 2bfc629dd..5a3c10885 100644 --- a/doc/todo/feature_request__58___pubkey-only_encryption_mode.mdwn +++ b/doc/todo/feature_request__58___pubkey-only_encryption_mode.mdwn @@ -12,3 +12,5 @@ remotes (S3). In that case, I don't care much about hiding file names, but would appreciate the increased security of not having the secret key on the backup server. It would only be needed if I wanted to verify or restore backups. + +> Added "encryption=sharedpubkey" [[done]] --[[Joey]] |