diff --git a/Remote/GitLFS.hs b/Remote/GitLFS.hs index bdacf59489..60b3567616 100644 --- a/Remote/GitLFS.hs +++ b/Remote/GitLFS.hs @@ -12,6 +12,7 @@ import Types.Remote import Annex.Url import Types.Key import Types.Creds +import qualified Annex import qualified Git import qualified Git.Types as Git import qualified Git.Url @@ -108,11 +109,21 @@ mySetup _ mu _ c gc = do let repo = fromMaybe (giveup "Specify url=") $ M.lookup "url" c - -- TODO: don't allow using encryption w/o the user indicating they - -- know it will only encrypt git-annex objects, not git pushes - -- TODO: don't allow using encryption=shared w/o the user - -- indicating that pushing to the git-lfs remote will expose the - -- encrypted data. + + when (isEncrypted c) $ + unlessM (Annex.getState Annex.force) $ + giveup $ unwords $ + [ "You asked that encryption be enabled for" + , "this remote, but only the files that" + , "git-annex stores on it would be encrypted;" + , "anything that git push sends to it would" + , "not be encrypted. Even encryption=shared" + , "encryption keys will be stored on the" + , "remote for anyone who can access it to" + , "see." + , "(Use --force if you want to use this" + , "likely insecure configuration.)" + ] (c', _encsetup) <- encryptionSetup c gc -- The repo is not stored in the remote log, because the same diff --git a/doc/special_remotes/git-lfs.mdwn b/doc/special_remotes/git-lfs.mdwn index c476185f9a..ffb0e7411a 100644 --- a/doc/special_remotes/git-lfs.mdwn +++ b/doc/special_remotes/git-lfs.mdwn @@ -41,11 +41,12 @@ store its SHA256 checksum in the git-annex branch. ## encryption notes -The encryption= parameter only makes git-annex encrypt data stored on the -remote. `git push` can also be used with the remote (it is a git repository -after all), and data pushed to it with git will *not* be encrypted. +The encryption= parameter only makes git-annex encrypt data it stores +on the remote. `git push` can also be used with the remote +(it is a git repository after all), and data pushed to it with +git will *not* be encrypted. -This makes using encryption=shared with a git-lfs special remote very +Using encryption=shared with a git-lfs special remote is especially unlikely to be secure, because the encryption key is committed to the git repository. It would only make sense if you never pushed it to the remote, or trusted the remote's host to keep it secure.