Setting up an encrypted git-repository

30

12

Situation

Hi, I would like to save data with git, encrypted (on some platform like bitbucket or github). Therefore the question:

Question

I am looking for different hassle-free ways on:
How to set up an encrypted repository on bitbucket(/github)? Now, I am new to git, thus an instruction with all necessary steps or step by step would be much appreciated!

"Research"

git-crypt
I found git-crypt, but on the site it is mentioned that it's intended for single file encryption. If one wanted to encrypt the whole repository they forward to git-remote-gcrypt.

git-remote-gcrypt
In their README.rst they put it as simple as

Quickstart

git remote add cryptremote gcrypt::rsync://example.com:repo
git push cryptremote master
> gcrypt: Setting up new repository
> gcrypt: Remote ID is :id:7VigUnLVYVtZx8oir34R
> [ more lines .. ]
> To gcrypt::[...]
> * [new branch]      master -> master

or under

Examples

# notice that the target git repo must already exist and its
# `next` branch will be overwritten!
git remote add gitcrypt gcrypt::git@example.com:repo#next
git push gitcrypt master

Tries

I prefer full repository encryption, hence I tried git-remote-gcrypt with variations of the Quickstart and Example. So far I tried pushing an existing repository by following their instructions. Which yields this: (note: I have purposely changed the username to user)

-> with ssh as in the provided example

[...]/git_test$ git remote add origin gcrypt::git@bitbucket.org:user/test.git
[...]/git_test$ git push -u origin --allgcrypt: Development version -- Repository format MAY CHANGE
gcrypt: Repository not found: git@bitbucket.org:user/test.git
gcrypt: Setting up new repository
gcrypt: Remote ID is :id: ...
Zähle Objekte: 10, Fertig.
Komprimiere Objekte: 100% (6/6), Fertig.
Total 10 (delta 0), reused 0 (delta 0)
gcrypt: Encrypting to: --throw-keyids --default-recipient-self
gcrypt: Requesting manifest signature
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
error: Fehler beim Versenden einiger Referenzen nach 'gcrypt::git@bitbucket.org:user/test.git'

or with https (which worked)

[...]/git_test$ git remote add gitcrypt gcrypt::https://user@bitbucket.org/user/test.git
[...]/git_test$ git push -u gitcrypt --allgcrypt: Development version -- Repository format MAY CHANGE
Password for 'https://user@bitbucket.org': 
gcrypt: Repository not found: https://user@bitbucket.org/user/test.git
gcrypt: Setting up new repository
Password for 'https://user@bitbucket.org': 
gcrypt: Remote ID is :id: ...
Zähle Objekte: 10, Fertig.
Komprimiere Objekte: 100% (6/6), Fertig.
Total 10 (delta 0), reused 0 (delta 0)
gcrypt: Encrypting to: --throw-keyids --default-recipient-self
gcrypt: Requesting manifest signature
Password for 'https://user@bitbucket.org': 
To gcrypt::https://user@bitbucket.org/user/test.git
 * [new branch]      master -> master
Branch master konfiguriert zum Folgen von Remote-Branch master von gitcrypt.

Nevertheless, I don't understand how to add users or even just pull my backup onto another machine (since my gpg key was generated locally) !? Feel free to just answer on usage of git-remote-gcrypt.

gr4nt3d

Posted 2017-01-03T14:25:57.923

Reputation: 421

These might be related: - http://superuser.com/questions/676497/encrypt-files-before-sending-them-to-cloud The [filter][3]s link provided led me to believe that this is tricky usage of a git functionality that changes code(/content) upon push/pull. And the en-/de-cryption is done by the provided scripts. If that is the case, then I'd rather prefer a way that is easier to setup without the hassle of those scripts - programs like git-remote-gcrypt. Moreover this would reveal the contents of the repository, right?

– gr4nt3d – 2017-01-03T14:27:11.407

>

  • http://superuser.com/questions/900656/how-to-encrypt-data-in-bitbucket-without-losing-git-diff-tools Similar question specifically with bitbucket that has no answer.
    • – gr4nt3d – 2017-01-03T14:27:18.790

    1

    Have a look at https://gist.github.com/shadowhand/873637

    – Nifle – 2017-01-03T15:22:12.043

    @Nifle seems to be the filter method as in my first comment, right? Does this encrypt the whole repo or just file-contents? – gr4nt3d – 2017-01-03T16:10:07.970

    As I added there http://superuser.com/a/1162909/626063 : simply copying the key (and secret-key) does not suffice to clone the repo to another machine.

    – gr4nt3d – 2017-01-03T16:46:12.057

    1

    Have you looked at git-remote-gcrypt or Keybase ?

    – harrymc – 2017-11-10T07:43:41.807

    @harrymc, I have had a look at both just now. Sadly I am too busy to test these solutions, but Keybase looks like a easy all in one tool (probably hassle free, if a whole team uses it; though, I did not see compatibility with git only) and the steps at the git annex page seem to show a few steps that I had not done; so definitively a good hint. Thank you! – gr4nt3d – 2017-11-13T14:54:53.397

    Answers

    19

    A free and open-source tool is Keybase :

    Git supports remote helpers. And we've made an open source one.

    Keybase's remote helper performs all the crypto while letting git do its thing. This might sound impressive, but Keybase has not reimplemented git from scratch. We provide a remote helper, powered by the excellent go-git project, which we've begun contributing to.

    We bring to the table: (1) crypto, (2) team + multi-device key management, (3) a safer concept of identity.

    It is end-to-end encrypted. It's hosted, like, say, GitHub, but only you (and teammates) can decrypt any of it. To Keybase, all is but a garbled mess. To you, it's a regular checkout with no extra steps.

    Even your repository names and branch names are encrypted, and thus unreadable by Keybase staff or infiltrators.

    Teamwork is supported via Keybase Teams :

    A Keybase team is a named group of people, with flexible membership. Let's say you work on a project called Treehouse. You could register treehouse on Keybase. This team name is universal; there can be only one Keybase team with a given name.

    Teams get chats and channels. The chat looks a bit like Slack or Discord:

    But Keybase teamwork is end-to-end encrypted, which means you don't have to worry about server hacks.

    Keybase

    harrymc

    Posted 2017-01-03T14:25:57.923

    Reputation: 306 093

    2Nice tool there! However, it seems to be a closed eco-system. I could not find any hints showing how to work with non-Keybase-users. Is this possible? I guess forcing a whole team to use this tool or being dependent on it outweighs the benefits still. – gr4nt3d – 2017-11-13T15:00:52.357

    This is open-source. Would a tool that you developed be any more open? – harrymc – 2017-11-13T20:34:56.017

    I was referring to the usage; and am unsure how the git remote helpers actually work. Could one use a key (which is not pgp, but something new, right ?) and this helper but without the gui? – gr4nt3d – 2017-11-14T07:25:22.250

    I cannot answer these questions - I haven't gone that deeply into it. – harrymc – 2017-11-14T07:53:41.860

    can 3rd party tools work with it? – Mikey – 2019-01-22T12:30:29.920

    Asked: 2017-01-03T14:25:57.923

    Viewed: 11 801 times

    Active: 2019-12-05T10:15:03.113