From ecebdec2c6ae71bd0f5041a77dc9ae7b0bca21e3 Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Wed, 9 Apr 2025 13:42:19 -0400
Subject: [PATCH] update

---
 .../comment_4_d19a6c42a6c4b0be270e1a1fe167631d._comment   | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/doc/todo/encrypt_just_the_annex_on_git+annex_hosting_site/comment_4_d19a6c42a6c4b0be270e1a1fe167631d._comment b/doc/todo/encrypt_just_the_annex_on_git+annex_hosting_site/comment_4_d19a6c42a6c4b0be270e1a1fe167631d._comment
index 4cc63688a7..9de9ff171e 100644
--- a/doc/todo/encrypt_just_the_annex_on_git+annex_hosting_site/comment_4_d19a6c42a6c4b0be270e1a1fe167631d._comment
+++ b/doc/todo/encrypt_just_the_annex_on_git+annex_hosting_site/comment_4_d19a6c42a6c4b0be270e1a1fe167631d._comment
@@ -41,4 +41,12 @@ A few gotchas I can see:
   are set up all storing to the same underlying remote. I think this is
   minor, because there would be 2 actual copies, just copies that happen to
   be on the same drive.
+* `encryption=shared` will not add any security if the underlying remote
+  is a git repository, because pushing the git-annex branch there will make
+  the encryption key available to anyone who can access the git repository.
+  Instead will need to use `encryption=pubkey`.
+  (Since this is a bit non-obvious, it should probably reject attempts
+  to do that.)
+
+I have some early work (documentation) in the `maskremote` branch.
 """]]