From: Linus Torvalds <torvalds@linux-foundation.org>
To: Matthias Andree <matthias.andree@gmx.de>
Cc: git@vger.kernel.org
Subject: Re: encrypted repositories?
Date: Fri, 17 Jul 2009 12:38:16 -0700 (PDT) [thread overview]
Message-ID: <alpine.LFD.2.01.0907171226460.13838@localhost.localdomain> (raw)
In-Reply-To: <op.uw7wmbr41e62zd@balu.cs.uni-paderborn.de>
On Fri, 17 Jul 2009, Matthias Andree wrote:
>
> Assume you have a repository where you want to work on embargoed information,
> so that not even system administrators of the server you're pushing to can get
> a hold of the cleartext data.
If the server can't ever read it, you're basically limited to just one
story:
- use rsync-like "stupid" transports to upload and download things.
- a "smart" git server (eg the native git:// style protocol is not going
to be possible)
and you strictly speaking need no real git changes, because you might as
well just do it by uploading an encrypted tar-file of the .git directory.
And there is literally no upside in doing anything else - any native git
support is almost entirely pointless.
You could make it a _bit_ more useful perhaps by adding some helper
wrappers, probably by just implementing a new transport name (ie instead
of using "rsync://", you'd just use "crypt-tgz://" or something).
Now, that said, there are probably situations where maybe you'd allow the
server to decrypt things _temporarily_, but you don't want to be encrypted
on disk, and no persistent keys on the server, then that would open up a
lot more possibilities.
Of course, that still does require that you trust the server admin to
_some_ degree - anybody who has root would be able to get the keys by
running a debugger on the git upload/download sequence when you do a
upload or download.
Maybe that kind of security is still acceptable to you, though?
IF that is the case, then at least in theory we could add support for
"encryption key exchange" to the native git protocol, and then you could
have encryption over the network access (ssh obviously already does that,
but I'm including things like the anonymous git:// protocol too), and
you'd have encrypted data on disk, but git-upload-pack would be able to
decrypt things in order to do deltas etc.
But see above: in order for that to work, you do have to allow the pack
upload and download processes on the server to decrypt things (in memory).
So it would not be "absolutely secure".
Linus
next prev parent reply other threads:[~2009-07-17 19:39 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-17 15:14 encrypted repositories? Matthias Andree
2009-07-17 16:06 ` Michael J Gruber
2009-07-17 20:22 ` Jakub Narebski
2009-07-17 16:30 ` Matthias Kestenholz
2009-07-17 19:38 ` Linus Torvalds [this message]
2009-07-17 20:22 ` John Tapsell
2009-07-17 20:40 ` Linus Torvalds
2009-07-17 20:42 ` Linus Torvalds
2009-07-18 19:09 ` encrypted repositories? with git-torrent? Thomas Koch
2009-07-20 12:13 ` Matthias Andree
2009-07-20 12:09 ` encrypted repositories? Matthias Andree
2009-07-20 13:48 ` Jakub Narebski
2009-07-21 8:30 ` Matthias Andree
2009-07-20 15:30 ` Jeff King
2009-07-21 8:25 ` Matthias Andree
2009-07-23 10:40 ` Jeff King
2012-08-02 14:52 ` J-S-B
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LFD.2.01.0907171226460.13838@localhost.localdomain \
--to=torvalds@linux-foundation.org \
--cc=git@vger.kernel.org \
--cc=matthias.andree@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).