[英]git encrypt/decrypt remote repository files while push/pull
Is it possible to automatically encrypt files via 'git push' before transferring to a remote repository?在传输到远程存储库之前,是否可以通过“git push”自动加密文件? And automatically decode them while 'git pull'.
并在“git pull”时自动解码它们。
Ie, if I have some remote server with shared access with git repository there, and I don't want our project to be stolen without a permission... Maybe there is some special git-hooks before push and after pull?即,如果我有一些远程服务器与那里的 git 存储库共享访问权限,并且我不希望我们的项目在未经许可的情况下被盗......也许在推前和拉后有一些特殊的 git-hooks?
Yes and no.是和否。
You could try to depend on hook but that supposes they are installed at the remote locations, and that is not always reliable.您可以尝试依赖 hook,但假设它们安装在远程位置,这并不总是可靠的。
Another way to achieve almost the same effect would be by using a smudge/clean attribute filter driver , but not for a full repo .实现几乎相同效果的另一种方法是使用smudge/clean 属性过滤器驱动程序,但不适用于完整的 repo 。
(Source: Pro Git book : Customizing Git - Git Attributes ) (来源: Pro Git 书籍:自定义 Git - Git 属性)
That way the smudge script is able decode the files, while the clean script would encode them.这样,涂抹脚本就能够解码文件,而干净的脚本会对它们进行编码。
Again, that could work for a few sensitive files, not for a full repo .同样,这可能适用于一些敏感文件,而不适用于完整的 repo 。
Off course, those scripts would not be in the repository itself, and would be managed/communicated by another way.当然,这些脚本不会在存储库本身中,而是通过另一种方式进行管理/通信。
As Alkaline points out in the comments , that idea does not scale for a repo, as the main git maintainer Junio C. Hamano comments back in 2009 :正如Alkaline 在评论中指出的那样,这个想法并不适用于 repo,正如主要的 git 维护者Junio C. Hamano 在 2009 年评论的那样:
As the sole raison d'etre of
diff.textconv
is to allow potentially lossy conversion (eg msword-to-text) applied to the preimage and postimage pair of contents (that are supposed to be "clean") before giving a textual diff to human consumption.因为
diff.textconv
的唯一存在理由是允许潜在的有损转换(例如 msword-to-text)应用于 preimage 和 postimage 内容对(应该是“干净的”),然后再将文本差异提供给人类消费。The above config may appear to work, but if you really want an encrypted repository, you should be using an encrypting filesystem.
上面的配置可能看起来有效,但如果你真的想要一个加密的存储库,你应该使用加密文件系统。
That would give an added benefit that the work tree associated with your repository would also be encrypted .这将带来额外的好处,即与您的存储库关联的工作树也将被加密。
Even though it does not scale to a full repo, the idea was implemented (3 years later in 2013) with git-crypt
, as detailed in Dominic Cerisano 's answer .尽管它没有扩展到完整的存储库,但这个想法是通过
git-crypt
实现的(3 年后的 2013 年),如Dominic Cerisano的回答中所述。
git-crypt
uses a content filter driver (implemented in cpp, with commands.cpp
setting up your .gitattributes
with the relevant smudge
and clean
filter commands). git-crypt
使用内容过滤驱动程序(在CPP实施, commands.cpp
设置您.gitattributes
有关smudge
及clean
过滤命令)。
As any content filter driver, you can then limit the application of git-crypt
to the set of files you want, in the same .gitattributes
file:作为任何内容过滤器驱动程序,您可以将
git-crypt
的应用程序限制为您想要的文件集,在同一个.gitattributes
文件中:
secretfile filter=git-crypt diff=git-crypt
*.key filter=git-crypt diff=git-crypt
As mentioned in the README
:如
README
中所述:
git-crypt
relies on git filters, which were not designed with encryption in mind.git-crypt
依赖于 git 过滤器,这些过滤器在设计时并没有考虑到加密。As such,
git-crypt
is not the best tool for encrypting most or all of the files in a repository.因此,
git-crypt
不是加密存储库中大部分或所有文件的最佳工具。
Wheregit-crypt
really shines is where most of your repository is public, but you have a few files (perhaps private keys named*.key
, or a file with API credentials) which you need to encrypt.git-crypt
真正闪耀的地方是您的大部分存储库都是公开的,但您有一些文件(可能是名为*.key
私钥,或带有 API 凭据的文件)需要加密。For encrypting an entire repository, consider using a system like
git-remote-gcrypt
instead.要加密整个存储库,请考虑使用
git-remote-gcrypt
类的系统。
(see more at spwhitton/ tech/ code/ git-remote-gcrypt , from Sean Whitton ) (在spwhitton/tech/code/git-remote-gcrypt 中查看更多信息,来自Sean Whitton )
You can take a look at this project: https://github.com/shadowhand/git-encrypt你可以看看这个项目: https : //github.com/shadowhand/git-encrypt
UPDATE : This above project is deprecated and recommends using https://github.com/AGWA/git-crypt更新:以上项目已弃用,建议使用https://github.com/AGWA/git-crypt
Create your 256 bit private key (RETAIN AND PROTECT THIS KEY)创建您的 256 位私钥(保留并保护此密钥)
sudo apt install git-crypt
mkdir key; cd key;
git init; git-crypt init
git-crypt export-key ~/crypt.key
Push a file called .gitattributes
to each repo's root directory.将一个名为
.gitattributes
的文件推送到每个 repo 的根目录。
It should contain one asset pattern per file, directory or type you wish to encrypt:它应该为每个要加密的文件、目录或类型包含一个资产模式:
docs/doc.txt filter=git-crypt diff=git-crypt
js/** filter=git-crypt diff=git-crypt
*.java filter=git-crypt diff=git-crypt
src/cpp/*.h filter=git-crypt diff=git-crypt
Encrypt assets in each repo:加密每个 repo 中的资产:
cd repo-root-directory
git-crypt unlock ~/crypt.key
git-crypt status -f
Push (from command line or git client)
Continue your git workflow as usual.像往常一样继续你的 git 工作流程。
git-crypt unlock ~/crypt.key
once on any new clones of these secured repos.git-crypt unlock ~/crypt.key
一次。There are two ways to do this.有两种方法可以做到这一点。
One is to use a project like git-crypt, http://www.agwa.name/projects/git-crypt/ which adds in fiters to pull and push process, or set up the filters manually as described here https://gist.github.com/shadowhand/873637一种是使用像 git-crypt 这样的项目, http: //www.agwa.name/projects/git-crypt/ 它添加了过滤器来拉取和推送过程,或者按照这里的描述手动设置过滤器https:// gist.github.com/shadowhand/873637
Another way if you are working in a linux environment, is to use ecryptfs.如果您在 linux 环境中工作,另一种方法是使用 ecryptfs。 For this scenario, in base of your project directory you could, for example, create two directories
对于这种情况,例如,您可以在项目目录的基础上创建两个目录
project/encrypted_src
project/src
Then from the root of the project directory you would mount using the command然后从项目目录的根目录使用命令挂载
sudo mount -t ecryptfs encrypted_src src
entering a pass-phrase and accepting the defaults when prompted.输入密码短语并在提示时接受默认值。 At this point, files placed in src/ will be encrypted into encrypted_src/ on the fly.
此时,放置在 src/ 中的文件将被动态加密到 encrypted_src/ 中。 When you are finished just
当你完成时
sudo umount src
and only the encrypted files remain.并且只保留加密文件。 Essentially files are committed and pushed from encrypted_src/ and edited in src.
基本上文件是从 encrypted_src/ 提交和推送的,并在 src 中编辑。 As long as everyone uses the same pass-phrase (or mounts with the same key) the repo can be shared among developers.
只要每个人都使用相同的密码(或使用相同的密钥挂载),就可以在开发人员之间共享存储库。 Also you can get fancier.
你也可以变得更漂亮。 You can encrypt file names as well as just file contents, or encrypt different folders in a repo with different pass-phrases or keys.
您可以加密文件名以及文件内容,或者使用不同的密码或密钥加密存储库中的不同文件夹。 The last feature is nice if you have configuration files with sensitive access information that individual groups (dev, test, production) will want to maintain privately.
如果您的配置文件包含个人组(开发、测试、生产)想要私下维护的敏感访问信息,那么最后一个功能非常有用。
That said, though, be aware that once you start encrypting stuff.尽管如此,请注意,一旦您开始加密内容。 You loose a lot of the advantages of source control like being able to see diffs between various commits.
您失去了源代码控制的许多优点,例如能够查看各种提交之间的差异。 If you have a project of any size the ability to review commits will be invaluable.
如果你有一个任何规模的项目,审查提交的能力将是无价的。 If you expect bugs, at some point or another, the ability to analyse and find their point of introduction by back tracking through commit history will also be invaluable.
如果您期望在某个时间点出现错误,通过回溯提交历史来分析和找到它们的引入点的能力也将是无价的。 So secure your server first and then use encryption only where in makes sense to protect sensitive info in source control.
因此,首先保护您的服务器,然后仅在对保护源代码控制中的敏感信息有意义的地方使用加密。 Just my 2 cents.
只有我的 2 美分。
git-annex提供了 Tahoe-LAFS 钩子,诚然,它可能比您需要的更复杂。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.