add gcrypt tip
This commit is contained in:
Joey Hess
parent
00fb5705ff
commit
b0356e56c1
2 changed files with 100 additions and 0 deletions
|
|
@ -4,6 +4,9 @@ remote allows git-annex to also store its files in such repositories.
|
|||
Naturally, git-annex encrypts the files it stores too, so everything
|
||||
stored on the remote is encrypted.
|
||||
|
||||
See [[tips/fully_encrypted_git_repositories_with_gcrypt]] for some examples
|
||||
of using gcrypt.
|
||||
|
||||
## configuration
|
||||
|
||||
These parameters can be passed to `git annex initremote` to configure
|
||||
|
|
|
|||
97
doc/tips/fully_encrypted_git_repositories_with_gcrypt.mdwn
Normal file
97
doc/tips/fully_encrypted_git_repositories_with_gcrypt.mdwn
Normal file
|
|
@ -0,0 +1,97 @@
|
|||
[git-remote-gcrypt](https://github.com/blake2-ppc/git-remote-gcrypt/)
|
||||
adds support for encrypted remotes to git. The git-annex
|
||||
[[gcrypt special remote|special_remotes/gcrypt]] allows git-annex to
|
||||
also store its files in such repositories. Naturally, git-annex encrypts
|
||||
the files it stores too, so everything stored on the remote is encrypted.
|
||||
|
||||
Here are some ways you can use this awesome stuff..
|
||||
|
||||
## prerequisites
|
||||
|
||||
* Install
|
||||
[git-remote-gcrypt](https://github.com/blake2-ppc/git-remote-gcrypt/)
|
||||
* Install git-annex version 4.20130909 or newer.
|
||||
|
||||
## encrypted backup drive
|
||||
|
||||
Let's make a USB drive into an encrypted backup repository. It will contain
|
||||
both the full contents of your git repository, and all the files you
|
||||
instruct git-annex to store on it, and everything will be encrypted so that
|
||||
only you can see it.
|
||||
|
||||
First, you need to set up a gpg key. You might consider generating a
|
||||
special purpose key just for this use case, since you may end up wanting to
|
||||
put the key on multiple machines that you would not trust with your
|
||||
main gpg key. You need to tell git-annex the keyid of the key.
|
||||
|
||||
git init --bare /mnt/encryptedbackup
|
||||
git annex initremote encryptedbackup type=gcrypt gitrepo=/mnt/encryptedbackup keyid=$mykey
|
||||
git annex sync encryptedbackup
|
||||
git annex copy --to encryptedbackup ...
|
||||
|
||||
Note that if you lose your gpg key, it will be *impossible* to get the
|
||||
data out of your encrypted backup. You need to find a secure way to store a
|
||||
backup of your gpg key. Printing it out and storing it in a safe deposit box,
|
||||
for example.
|
||||
|
||||
You can actually specifiy keyid= as many times as you like to allow any one
|
||||
of a set of gpg keys to access this repository. So you could add a friend's
|
||||
key, or another gpg key you have.
|
||||
|
||||
To restore from the backup, just plug the drive into any machine that has
|
||||
the gpg key used to encrypt it, and then:
|
||||
|
||||
git clone /mnt/encryptedbackup restored
|
||||
cd restored
|
||||
git annex enableremote encryptedbackup gitrepo=/mnt/encryptedbackup
|
||||
git annex get --from encryptedbackup
|
||||
|
||||
## encrypted git-annex repository on a ssh server
|
||||
|
||||
If you have a ssh server that has git-annex and rsync installed, you can
|
||||
set up an encrypted repository there. Works just like the encrypted drive
|
||||
except without the cable.
|
||||
|
||||
First, on the server, run:
|
||||
|
||||
git init --bare encryptedrepo
|
||||
|
||||
Now, in your existing git-annex repository:
|
||||
|
||||
git annex initremote encryptedrepo type=gcrypt gitrepo=ssh://my.server/home/me/encryptedrepo keyid=$mykey
|
||||
git annex sync encryptedrepo
|
||||
git annex copy --to encryptedrepo ...
|
||||
|
||||
If you're going to be sharing this repository with others, be sure to also
|
||||
include their keyids, by specifying keyid= repeatedly.
|
||||
|
||||
Now that the repo is set up, anyone who has access to it and has one of the keys
|
||||
used to encrypt it can check it out:
|
||||
|
||||
git clone ssh://my.server/home/me/encryptedrepo myrepo
|
||||
cd myrepo
|
||||
git annex enableremote encryptedrepo gitrepo=ssh://my.server/home/me/encryptedrepo
|
||||
git annex get --from encryptedrepo
|
||||
|
||||
## private encrypted git remote on hosting site
|
||||
|
||||
You can use gcrypt to store your git repository in encrypted form on any
|
||||
hosting site that supports git. Only you can decrypt its contents.
|
||||
Using it this way, git-annex does not store large files on the hosting site; it's
|
||||
only used to store your git repository itself.
|
||||
|
||||
git remote add encrypted gcrypt::ssh://hostingsite/myrepo.git
|
||||
git config git push encrypted master git-annex
|
||||
|
||||
Now you can carry on using git-annex with your new repository. For example,
|
||||
`git annex sync` will sync with it.
|
||||
|
||||
## multiuser encrypted git remote on hosting site
|
||||
|
||||
Suppose two users want to share an encrypted git remote. Both of you
|
||||
need to set up the remote, and configure gcrypt to encrypt it so that both
|
||||
of you can see it.
|
||||
|
||||
git remote add sharedencrypted gcrypt::ssh://hostingsite/myrepo.git
|
||||
git config remote.sharedencrypted.gcryt-participants "$mykey $friendkey"
|
||||
git config git push sharedencrypted master git-annex
|
||||
Loading…
Add table
Reference in a new issue