Skip to content

kinnalru/gitcrypt

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Transparent Git Encryption

This project based(forked) on git-encrypt by Woody Gilk(@shadowhand) but diverged and hard to merge back. It has own uniq features. The original gitcrypt tool is inspired by this document written by Ning Shang, which was in turn inspired by this post. Without these two documents, by people much smarter than me, gitcrypt would not exist.

There is some controversy over using this technique, so do your research and understand the implications of using this tool before you go crazy with it.

Features

  • Using strong master key to encrypt data.

  • Master key can be encrypted/decrypting through such facilities:

    • GPG. The most secure way because master key not stored anywhere unencrypted. It has some performance issue because of decrypting is made on ANY FILE while commit/checkout/stage/diff/merge. Also it is possible to encrypt master key for multiple users(which PUBLIC keys you have) and can be used in multiuser encrypted repo.

    • passphrase. The master key is decrypted once on repo initialization and stored in .git/config.

    • SSH private-key. It is suitable ONLY for personal use because ssh-private key is used to encrypt/decrypt master key. There is no public/private facility used but master key is encrypted with sha512 hash of ssh-private key internals(decrypted if needed). The master key is decrypted once on repo initialization and stored in .git/config. This made for users who has ssh-key but no gpg key

  • It possible to merge(and resolve conflicts) in encrypted commits. It is realized by custom merge driver "gitcrypt-merge"

  • You can encrypt previous repo history with command1:

      $ gitcrypt crypthistory
      $ You MUST run 'crypthistory' BEFORE any encrypted commits.Do you want to recrypt all history? This may corrut your data? [Y/n]
      ...
    
  • You can encrypt/decrypt all history:

      $ gitcrypt crypthistory
      $ gitcrypt decrypthistory
    
  • You can enable/disable gitcrypt facility:

      $ gitcrypt disable
      $ gitcrypt reset
      $ gitcrypt enable
      $ gitcrypt reset
    
  • You can add multiple users to allowed to encrypt master key when using GPG:

      $ gitcrypt init
      $ Please select masterkey encryption type:
      $ type 'gpg' for use gpg
      $ type path to ssh-private key ex: ~/.ssh/id_rsa
      $ or type <passphrase> wich will encrypt masterkey
      $ *gpg*
      ...
      $
      $ You did not specify a user ID. (you may use "-r")
      $ 
      $ Current recipients:
      $ 2048R/DEFD08C4 2015-01-13 "Samoilenko Yuri <[email protected]>"
      $ 
      $ Enter the user ID.  End with an empty line: [email protected]
      $ 
      $ Current recipients:
      $ 2048R/370F9A12 2015-05-30 "gitcrypt <[email protected]>"
      $ 2048R/DEFD08C4 2015-01-13 "Samoilenko Yuri <[email protected]>"
      $
      $ Enter the user ID.  End with an empty line: 
      ...
    

    Now [email protected] and [email protected] can decrypt repo with own private gpg key.

Requirements

Openssl and git must be installed and the binary must be available in your $PATH.

Installation

Clone gitcrypt somewhere on your local machine:

	$ git clone https://github.com/kinnalru/gitcrypt
	$ cd gitcrypt

The gitcrypt command must be executable:

	$ chmod 0755 gitcrypt

And it and it's internal files must be accessible in your $PATH:

	$ export PATH="$PATH:$(pwd)"

Gentoo

Or you can use my home little overlay for Gentoo: https://github.com/kinnalru/hoverlay

For Windows

Verified on PortableGit Only !

Copy the file gitcrypt to your PortableGit/bin location. In my environment PortableGit is available at E:\PortableGit.

copy gitcrypt E:\PortableGit\bin

Also make sure that PATH environment variable has E:\PortableGit\bin available in it.

Path=C:\Python27;C:\Python27\Scripts;E:\PortableGit\bin;E:\PortableGit\libexec\git-core;C:\windows\system32;C:\windows;C:\window s\system32\WBEM;c:\windows\System32\WindowsPowerShell\v1.0;c:\i386~configs;C:\Users\VKHANORK\AppData\Roaming\Python\Scripts

Configuration

To quickly setup gitcrypt interactively, run gitcrypt init from the root of your git repository. It will ask you for an encrypt facility GPG/SSH/passphrase, cipher mode, and what files should be encrypted.

	$ cd my-repo
	$ gitcrypt init

Useful example to mark *.skip files not-encryptable:

	$ cat .git/info/attributes
	$ * filter=encrypt diff=encrypt merge=encrypt
	$ .gitcryptsecret filter diff merge text
	$ .gitattributes filter diff merge text
	$ *.skip text diff merge filter
	$ [merge]
	$    renormalize=true

Your repository is now set up! Any time you git add a file that matches the filter pattern the clean filter is applied, automatically encrypting the file before it is staged. Using git diff will work normally, as it automatically decrypts file content as necessary.

Manual Configuration

You can manually modify .git/config file:

	$ [gitcrypt]
	$   cipher = aes-256-cbc
	$   pass = gpg           # if gpg used
	$   pass = ~/.ssh/id_rsa # if ssh-private key used
	$   pass =               # empty if passphrase used
	$   secret =             # empty if gpg used 
	$   secret ="hnlR6m#sQY02HcD^22)k0EhMpf&SF*fxY&i4j0gCMdRKuVuI"
	$   salt = 7214e82f24d5511d
	$ [filter "encrypt"]
	$   smudge = gitcrypt smudge
	$   clean = gitcrypt clean
	$ [diff "encrypt"]
	$   textconv = gitcrypt diff
	$ [merge "encrypt"]
	$   name = gitcrypt merge driver
	$   driver = gitcrypt-merge %A %O %B %L

Next, you need to define what files will be automatically encrypted using the .git/info/attributes file. Any file pattern format can be used here.

To encrypt all the files in the repo:

	* filter=encrypt diff=encrypt merge=encrypt
	[merge]
		renormalize = true

To encrypt only one file, you could do this:

	secret.txt filter=encrypt diff=encrypt merge=encrypt

Or to encrypt all ".secure" files:

	*.secure filter=encrypt diff=encrypt merge=encrypt

If you want this mapping to be included in your repository, use a .gitattributes file instead and do not encrypt it.

Decrypting Clones

To set up decryption from a clone, you will need to repeat the same setup on the new clone.

First, clone the repository, but do not perform a checkout:

	$ git clone -n git://github.com/johndoe/encrypted.get
	$ cd encrypted

If you do a git status now, it will show all your files as being deleted. Do not fear, this is actually what we want right now, because we need to setup gitcrypt before doing a checkout.

Now you can either run gitcrypt init or do the same manual configuration that performed on the original repository.

Once configuration is complete, reset and checkout all the files:

	$ gitcrypt reset

All the files in the are now decrypted and ready to be edited.

Note that if you have diffrent salt you will see that files modified but git diff show none. This will lead to grown up of repository because all encrypred files will considered as changed

Conclusion

Enjoy your secure git repository!

About

Transparent Git Encryption

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Shell 58.9%
  • Ruby 41.1%