2013-10-27 21:12:19 +00:00
|
|
|
[[!toc]]
|
|
|
|
|
2011-04-16 23:30:31 +00:00
|
|
|
git-annex mostly does not use encryption. Anyone with access to a git
|
|
|
|
repository can see all the filenames in it, its history, and can access
|
|
|
|
any annexed file contents.
|
|
|
|
|
|
|
|
Encryption is needed when using [[special_remotes]] like Amazon S3, where
|
|
|
|
file content is sent to an untrusted party who does not have access to the
|
|
|
|
git repository.
|
|
|
|
|
2013-09-01 18:12:00 +00:00
|
|
|
Such an encrypted remote uses strong ([[symmetric|design/encryption]] or
|
|
|
|
asymmetric) encryption on the contents of files, as well as HMAC hashing
|
|
|
|
of the filenames. The size of the encrypted files, and access patterns
|
|
|
|
of the data, should be the only clues to what is stored in such a
|
|
|
|
remote.
|
2011-04-16 23:30:31 +00:00
|
|
|
|
|
|
|
You should decide whether to use encryption with a special remote before
|
|
|
|
any data is stored in it. So, `git annex initremote` requires you
|
|
|
|
to specify "encryption=none" when first setting up a remote in order
|
2014-08-19 05:22:24 +00:00
|
|
|
to disable encryption. To use encryption, you run
|
2014-07-19 22:25:42 +00:00
|
|
|
`git-annex initremote` in one of these ways:
|
2011-04-16 23:30:31 +00:00
|
|
|
|
2016-05-11 19:54:12 +00:00
|
|
|
* `git annex initremote newremote type=... encryption=hybrid keyid=KEYID`
|
2013-09-05 00:11:25 +00:00
|
|
|
* `git annex initremote newremote type=... encryption=shared`
|
2016-05-11 19:54:12 +00:00
|
|
|
* `git annex initremote newremote type=... encryption=pubkey keyid=KEYID`
|
|
|
|
* `git annex initremote newremote type=... encryption=sharedpubkey keyid=KEYID`
|
2011-04-16 23:30:31 +00:00
|
|
|
|
2016-05-11 20:09:39 +00:00
|
|
|
To see what encryption is used for a special remote, run
|
|
|
|
`git annex info $remote` and look for a line like:
|
|
|
|
|
|
|
|
encryption: hybrid (to gpg keys: AEC828149D85C538 C910D9122512E3C8)
|
|
|
|
|
2016-05-10 20:50:31 +00:00
|
|
|
## hybrid encryption keys (encryption=hybrid)
|
2013-03-29 16:06:02 +00:00
|
|
|
|
2013-09-05 00:11:25 +00:00
|
|
|
The [[hybrid_key_design|design/encryption]] allows additional
|
|
|
|
encryption keys to be added on to a special remote later. Due to this
|
2013-12-02 02:09:18 +00:00
|
|
|
flexibility, it is the default and recommended encryption scheme.
|
2014-08-19 05:22:24 +00:00
|
|
|
|
2016-05-11 19:54:12 +00:00
|
|
|
git annex initremote newremote type=... [encryption=hybrid] keyid=KEYID
|
2013-09-05 00:11:25 +00:00
|
|
|
|
2022-08-15 18:25:13 +00:00
|
|
|
The KEYID is passed to `gpg` to find a gpg key.
|
2013-09-05 00:11:25 +00:00
|
|
|
Typically, you will say "keyid=2512E3C7" to use a specific gpg key.
|
2015-01-21 16:50:09 +00:00
|
|
|
Or, you might say "keyid=id@joeyh.name" to search for matching keys.
|
2013-09-05 00:11:25 +00:00
|
|
|
|
|
|
|
To add a new key and allow it to access all the content that is stored
|
|
|
|
in the encrypted special remote, just run `git annex
|
2016-05-11 19:54:12 +00:00
|
|
|
enableremote` specifying the keyid to add:
|
2011-04-16 23:30:31 +00:00
|
|
|
|
2013-08-28 02:24:14 +00:00
|
|
|
git annex enableremote myremote keyid+=788A3F4C
|
2011-04-16 23:30:31 +00:00
|
|
|
|
2016-05-11 19:54:12 +00:00
|
|
|
You can repeat this process to add any number of gpg keys, including
|
|
|
|
your own gpg keys and any public keys of others who you want to give
|
|
|
|
access. Anyone with a corresponding secret key will be able to decrypt
|
|
|
|
all content that is stored in the remote.
|
|
|
|
|
|
|
|
While a key can later be removed from the list, note that it will **not**
|
|
|
|
prevent the owner of the key from accessing data on the remote (which is by
|
|
|
|
design impossible to prevent, short of deleting the remote). In fact the
|
|
|
|
only sound use of `keyid-=` is probably to replace a revoked key:
|
2013-08-28 02:24:14 +00:00
|
|
|
|
|
|
|
git annex enableremote myremote keyid-=2512E3C7 keyid+=788A3F4C
|
|
|
|
|
|
|
|
See also [[encryption_design|design/encryption]] for other security
|
|
|
|
risks associated with encryption.
|
2012-04-29 18:02:18 +00:00
|
|
|
|
2016-05-10 20:50:31 +00:00
|
|
|
## shared encryption key (encryption=shared)
|
2012-04-29 18:02:18 +00:00
|
|
|
|
|
|
|
Alternatively, you can configure git-annex to use a shared cipher to
|
|
|
|
encrypt data stored in a remote. This shared cipher is stored,
|
2013-08-28 02:24:14 +00:00
|
|
|
**unencrypted** in the git repository. So it's shared among every
|
2014-08-19 05:22:24 +00:00
|
|
|
clone of the git repository.
|
|
|
|
|
2013-09-05 00:11:25 +00:00
|
|
|
git annex initremote newremote type=... encryption=shared
|
|
|
|
|
|
|
|
The advantage is you don't need to set up gpg keys. The disadvantage is
|
|
|
|
that this is **insecure** unless you trust every clone of the git
|
|
|
|
repository with access to the encrypted data stored in the special remote.
|
|
|
|
|
2024-01-10 20:30:38 +00:00
|
|
|
By default `gpg` is used for shared encryption, but it is also possible to
|
|
|
|
use other programs that implement the Stateless OpenPGP command line
|
|
|
|
interface. For example, to use Sequoia PGP's `sqop` command, configured to
|
2024-04-06 13:52:01 +00:00
|
|
|
be backwards compatible with `gpg`:
|
2024-01-10 20:30:38 +00:00
|
|
|
|
|
|
|
git config annex.shared-sop-command sqop
|
|
|
|
git config annex.shared-sop-profile rfc4880
|
|
|
|
|
2016-05-10 20:50:31 +00:00
|
|
|
## regular public key encryption (encryption=pubkey)
|
2013-09-05 00:11:25 +00:00
|
|
|
|
|
|
|
This alternative simply encrypts the files in the special remotes to one or
|
2016-05-11 19:54:12 +00:00
|
|
|
more public keys. The corresponding private key is needed to store
|
|
|
|
anything in the remote, or access anything stored in it.
|
|
|
|
It might be considered more secure due to its simplicity and since
|
|
|
|
it's exactly the way everyone else uses gpg.
|
2013-09-05 00:11:25 +00:00
|
|
|
|
2016-05-11 19:54:12 +00:00
|
|
|
git annex initremote newremote type=.... encryption=pubkey keyid=KEYID
|
2013-09-05 00:11:25 +00:00
|
|
|
|
2014-08-19 05:22:24 +00:00
|
|
|
A disadvantage is that it is not easy to later add additional public keys
|
2013-09-05 00:11:25 +00:00
|
|
|
to the special remote. While the `enableremote` parameters `keyid+=` and
|
2016-05-11 19:54:12 +00:00
|
|
|
`keyid-=` can be used, they have **no effect** on encrypted files that
|
2022-08-15 18:25:13 +00:00
|
|
|
are already stored in the remote.
|
2016-05-11 19:54:12 +00:00
|
|
|
|
2022-08-15 18:25:13 +00:00
|
|
|
So if you need other public keys to also have access, it's best to add them
|
|
|
|
immediately after initializing the remote:
|
|
|
|
|
|
|
|
git-annex initremote newremote keyid+=788A3F4C
|
|
|
|
|
|
|
|
Another use for these parameters is to replace a revoked key:
|
2013-09-05 00:11:25 +00:00
|
|
|
|
|
|
|
git annex enableremote myremote keyid-=2512E3C7 keyid+=788A3F4C
|
|
|
|
|
|
|
|
But even in this case, since the files are not re-encrypted, the revoked
|
|
|
|
key has to be kept around to be able to decrypt those files.
|
|
|
|
(Of course, if the reason for revocation is
|
2013-09-01 18:12:00 +00:00
|
|
|
that the key has been compromised, it is **insecure** to leave files
|
2013-09-05 00:11:25 +00:00
|
|
|
encrypted using that old key, and the user should re-encrypt everything.)
|
|
|
|
|
2016-05-10 20:50:31 +00:00
|
|
|
(A cipher still needs to be generated (and is encrypted to the given key IDs).
|
|
|
|
It is only used for HMAC encryption of filenames.)
|
|
|
|
|
|
|
|
## regular public key encryption with shared filename encryption (encryption=sharedpubkey)
|
|
|
|
|
|
|
|
This is a variation on encryption=pubkey which lets anyone who
|
|
|
|
has access to the gpg public keys store files in the special remote.
|
2016-05-11 19:54:12 +00:00
|
|
|
But, only owners of the corresponding gpg private keys can retrieve the files
|
2016-05-10 20:50:31 +00:00
|
|
|
from the special remote.
|
|
|
|
|
2016-05-11 19:54:12 +00:00
|
|
|
git annex initremote newremote type=... encryption=sharedpubkey keyid=KEYID
|
2016-05-10 20:50:31 +00:00
|
|
|
|
|
|
|
This might be useful if you want to let others drop off files for you in a
|
|
|
|
special remote, so that only you can access them.
|
|
|
|
|
|
|
|
The filenames used on the special remote are encrypted using HMAC,
|
|
|
|
which prevents the special remote from seeing the filenames. But, anyone
|
|
|
|
who can clone the git repository can access the HMAC cipher; it's stored
|
|
|
|
**unencrypted** in the git repository.
|
2013-09-05 00:11:25 +00:00
|
|
|
|
|
|
|
## MAC algorithm
|
2013-09-01 18:12:00 +00:00
|
|
|
|
2013-09-05 00:11:25 +00:00
|
|
|
The default MAC algorithm to be applied on the filenames is HMACSHA1. A
|
2014-07-19 22:25:42 +00:00
|
|
|
stronger one, for instance HMACSHA512, can be chosen upon creation
|
2013-09-05 00:11:25 +00:00
|
|
|
of the special remote with the option `mac=HMACSHA512`. The available
|
|
|
|
MAC algorithms are HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384, and
|
|
|
|
HMACSHA512. Note that it is not possible to change algorithm for a
|
|
|
|
non-empty remote.
|
2018-12-04 18:16:56 +00:00
|
|
|
|
|
|
|
## credentials storage
|
|
|
|
|
|
|
|
Special remotes that need some form of credentials, such as a password,
|
|
|
|
may support embedding the credentials in the git repository, using
|
|
|
|
embedcreds=yes. See individual special remotes' documentation for details.
|
|
|
|
When credentials are embedded in the repository, they're also encrypted using
|
|
|
|
whatever encryption setting has been selected for the repository.
|
|
|
|
|
|
|
|
Such credentials are also cached locally in a file only you can read,
|
|
|
|
in `.git/annex/creds/`. If you prefer to not expose the credentials on disk
|
|
|
|
in unencrypted form, you can disable this cache, by setting the
|
|
|
|
`annex.cachecreds` config to `false`.
|