Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
713 views
in Technique[技术] by (71.8m points)

encryption - git encrypt/decrypt remote repository files while push/pull

Is it possible to automatically encrypt files via 'git push' before transferring to a remote repository? And automatically decode them while 'git pull'.

I.e, if I have some remote server with shared access with git repository there, and I don't want our project to be stolen without a permission... Maybe there is some special git-hooks before push and after pull?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Yes and no.

You could try to depend on hook but that supposes they are installed at the remote locations, and that is not always reliable.

Another way to achieve almost the same effect would be by using a smudge/clean attribute filter driver, but not for a full repo.

smudge/clean

(Source: Pro Git book: Customizing Git - Git Attributes)

That way the smudge script is able decode the files, while the clean script would encode them.
Again, that could work for a few sensitive files, not for a full repo.

Off course, those scripts would not be in the repository itself, and would be managed/communicated by another way.

As Alkaline points out in the comments, that idea does not scale for a repo, as the main git maintainer Junio C. Hamano comments back in 2009:

As the sole raison d'etre of diff.textconv is to allow potentially lossy conversion (e.g. msword-to-text) applied to the preimage and postimage pair of contents (that are supposed to be "clean") before giving a textual diff to human consumption.

The above config may appear to work, but if you really want an encrypted repository, you should be using an encrypting filesystem.
That would give an added benefit that the work tree associated with your repository would also be encrypted
.


Even though it does not scale to a full repo, the idea was implemented (3 years later in 2013) with git-crypt, as detailed in Dominic Cerisano's answer.
git-crypt uses a content filter driver (implemented in cpp, with commands.cpp setting up your .gitattributes with the relevant smudge and clean filter commands).
As any content filter driver, you can then limit the application of git-crypt to the set of files you want, in the same .gitattributes file:

secretfile filter=git-crypt diff=git-crypt
*.key filter=git-crypt diff=git-crypt

As mentioned in the README:

git-crypt relies on git filters, which were not designed with encryption in mind.

As such, git-crypt is not the best tool for encrypting most or all of the files in a repository.
Where git-crypt really shines is where most of your repository is public, but you have a few files (perhaps private keys named *.key, or a file with API credentials) which you need to encrypt.

For encrypting an entire repository, consider using a system like git-remote-gcrypt instead.

(see more at spwhitton/ tech/ code/ git-remote-gcrypt, from Sean Whitton)


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...