2016-07-05 15:30:58 +00:00
|
|
|
[git-remote-gcrypt](https://spwhitton.name/tech/code/git-remote-gcrypt/)
|
2013-09-07 23:08:34 +00:00
|
|
|
adds support for encrypted remotes to git. The git-annex gcrypt special
|
|
|
|
remote allows git-annex to also store its files in such repositories.
|
|
|
|
Naturally, git-annex encrypts the files it stores too, so everything
|
|
|
|
stored on the remote is encrypted.
|
|
|
|
|
2019-08-05 17:24:21 +00:00
|
|
|
This special remote needs the server hosting the remote repository
|
|
|
|
to either have git-annex-shell or rsync accessible via ssh. git-annex
|
|
|
|
uses those to store its content in the remote. If the remote repository
|
|
|
|
is instead hosted on a server using git-lfs, you can use the [[git-lfs]]
|
|
|
|
special remote instead of this one; it also supports using gcrypt.
|
|
|
|
|
2013-09-08 19:48:41 +00:00
|
|
|
See [[tips/fully_encrypted_git_repositories_with_gcrypt]] for some examples
|
|
|
|
of using gcrypt.
|
|
|
|
|
2013-09-07 23:08:34 +00:00
|
|
|
## configuration
|
|
|
|
|
|
|
|
These parameters can be passed to `git annex initremote` to configure
|
|
|
|
gcrypt:
|
|
|
|
|
|
|
|
* `encryption` - One of "none", "hybrid", "shared", or "pubkey".
|
2014-08-03 21:31:10 +00:00
|
|
|
Required. See [[encryption]].
|
2013-09-07 23:08:34 +00:00
|
|
|
|
|
|
|
* `keyid` - Specifies the gpg key to use for encryption of both the files
|
|
|
|
git-annex stores in the repository, as well as to encrypt the git
|
|
|
|
repository itself. May be repeated when multiple participants
|
|
|
|
should have access to the repository.
|
|
|
|
|
2021-03-09 19:58:09 +00:00
|
|
|
* `gitrepo` - Required. The location of the git repository
|
2021-03-09 17:53:41 +00:00
|
|
|
for gcrypt to use. This repository should be either an unpopulated
|
|
|
|
bare git repo, or an existing gcrypt repository.
|
2013-09-07 23:08:34 +00:00
|
|
|
|
2021-03-09 19:58:09 +00:00
|
|
|
To use a local git repository, use: `gitrepo=/path/to/repo`
|
|
|
|
|
|
|
|
For a git repository accessed using rsync over ssh, use:
|
|
|
|
`gitrepo=rsync://user@host/path/to/repo`
|
|
|
|
|
|
|
|
For a git repository accessed over ssh, and using git-annex-shell
|
|
|
|
to transfer data, use:
|
2021-03-09 19:59:29 +00:00
|
|
|
`gitrepo=ssh://user@host/path/to/repo` or `gitrepo=host:path`
|
2021-03-09 19:58:09 +00:00
|
|
|
Note that each `git push` has to re-send the whole content of the git
|
|
|
|
repository when using this option.
|
|
|
|
|
2014-08-03 21:31:10 +00:00
|
|
|
* `chunk` - Enables [[chunking]] when storing large files.
|
|
|
|
|
2013-09-08 18:54:28 +00:00
|
|
|
* `shellescape` - See [[rsync]] for the details of this option.
|
|
|
|
|
2013-09-07 23:08:34 +00:00
|
|
|
## notes
|
|
|
|
|
|
|
|
For git-annex to store files in a repository on a remote server, you need
|
2021-03-09 19:58:09 +00:00
|
|
|
shell access, and it needs to be able to run `rsync` or `git-annex-shell`.
|
2013-09-07 23:08:34 +00:00
|
|
|
|
2019-08-05 17:24:21 +00:00
|
|
|
If you can't run `rsync` or `git-annex-shell` on the remote server,
|
|
|
|
you can't use this special remote. Other options are the [[git-lfs]]
|
|
|
|
special remote, which can also be combined with gcrypt, or
|
|
|
|
using git-remote-gcrypt to encrypt a remote that git-annex cannot use.
|
2013-09-07 23:08:34 +00:00
|
|
|
|
2019-08-05 17:24:21 +00:00
|
|
|
If you use encryption=hybrid, you can later add more gpg keys that can access
|
2013-09-07 23:08:34 +00:00
|
|
|
the files git-annex stored in the gcrypt repository. However, due to the
|
|
|
|
way git-remote-gcrypt encrypts the git repository, you will need to somehow
|
|
|
|
force it to re-push everything again, so that the encrypted repository can
|
2013-09-07 23:25:13 +00:00
|
|
|
be decrypted by the added keys. Probably this can be done by setting
|
|
|
|
`GCRYPT_FULL_REPACK` and doing a forced push of branches.
|
2014-07-15 21:33:14 +00:00
|
|
|
|
2014-08-15 16:02:40 +00:00
|
|
|
Recent versions of git-annex configure `remote.<name>`gcrypt-publish-participants` when
|
2014-07-15 21:33:14 +00:00
|
|
|
setting up a gcrypt repository. This is done to avoid unncessary gpg
|
|
|
|
passphrase prompts, but it does publish the gpg keyids that can decrypt the
|
|
|
|
repository. Unset it if you need to obscure that.
|