Re: encrypted repositories?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On Fri, 17 Jul 2009, Matthias Andree wrote:
>
> Assume you have a repository where you want to work on embargoed information,
> so that not even system administrators of the server you're pushing to can get
> a hold of the cleartext data.

If the server can't ever read it, you're basically limited to just one 
story:

 - use rsync-like "stupid" transports to upload and download things.

 - a "smart" git server (eg the native git:// style protocol is not going 
   to be possible)

and you strictly speaking need no real git changes, because you might as 
well just do it by uploading an encrypted tar-file of the .git directory. 
And there is literally no upside in doing anything else - any native git 
support is almost entirely pointless.

You could make it a _bit_ more useful perhaps by adding some helper 
wrappers, probably by just implementing a new transport name (ie instead 
of using "rsync://", you'd just use "crypt-tgz://" or something).

Now, that said, there are probably situations where maybe you'd allow the 
server to decrypt things _temporarily_, but you don't want to be encrypted 
on disk, and no persistent keys on the server, then that would open up a 
lot more possibilities.

Of course, that still does require that you trust the server admin to 
_some_ degree - anybody who has root would be able to get the keys by 
running a debugger on the git upload/download sequence when you do a 
upload or download.

Maybe that kind of security is still acceptable to you, though? 

IF that is the case, then at least in theory we could add support for 
"encryption key exchange" to the native git protocol, and then you could 
have encryption over the network access (ssh obviously already does that, 
but I'm including things like the anonymous git:// protocol too), and 
you'd have encrypted data on disk, but git-upload-pack would be able to 
decrypt things in order to do deltas etc.

But see above: in order for that to work, you do have to allow the pack 
upload and download processes on the server to decrypt things (in memory). 
So it would not be "absolutely secure".

			Linus
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]