简体繁体 English

有加密版本控制系统吗？

[英]Is there an encrypted version control system?

原文 2010-06-18 15:34:40 0 13 security/ svn/ version-control/ encryption

I am looking for an encrypted version control system . 我正在寻找一个加密版本控制系统。 Basically I would like to 基本上我想

Have all files encrypted locally before sending to the server. 在发送到服务器之前，将所有文件在本地加密。 The server should never receive any file or data unencrypted. 服务器永远不应接收任何未加密的文件或数据。
Every other feature should work pretty much the same way as SVN or CVS does today. 其他每个功能的工作方式与SVN或CVS的功能几乎相同。

Can anyone recommend something like this? 任何人都可以推荐这样的东西？ I did a lot of searches but I cant find anything. 我做了很多搜索，但我找不到任何东西。

13 个解决方案

You should encrypt the data pipe (ssl/ssh) instead, and secure the access to the server. 您应该加密数据管道（ssl / ssh），并保护对服务器的访问。 Encrypting the data would force SVN to essentially treat everything as a binary file. 加密数据将迫使SVN将所有内容视为二进制文件。 It can't do any diff, so it can't store deltas. 它不能做任何差异，所以它不能存储增量。 This defeats the purpose of a delta-based approach. 这违背了基于三角洲的方法的目的。
Your repository would get huge, very quickly. 您的存储库将变得非常快，非常快。 If you upload a file that's 100kb and then change 1 byte and checkin again, do that 8 more times (10 revs total), the repository would be storing 10 * 100kb, instead of 100kb + 9 little deltas (let's call it 101kb). 如果您上传一个100kb的文件，然后再更改1个字节并再次签入，那么再执行8次（总共10转），存储库将存储10 * 100kb，而不是100kb + 9个小增量（让我们称之为101kb）。

Update: @TheRook explains that it is possible to do deltas with encrypted repository. 更新：@TheRook解释说可以使用加密存储库进行增量。 So it may be possible to do this. 所以有可能这样做。 However, my initial advice stands: it's not worth the hassle, and you're better off with encrypting the ssl/ssh pipe and securing the server. 但是，我最初的建议是：它不值得麻烦，你最好加密ssl / ssh管道并保护服务器。 ie "best practices". 即“最佳实践”。

It is possible to create a version control system of cipher text. 可以创建密文的版本控制系统。 It would be ideal to use a stream cipher such as RC4-drop1024 or AES-OFB mode. 使用诸如RC4-drop1024或AES-OFB模式的流密码是理想的。 As long as the same key+iv is used for each revision. 只要每个修订使用相同的键+ iv。 This will mean that the same PRNG stream will be generated each time and then XOR'ed with the code. 这意味着每次都会生成相同的PRNG流，然后与代码进行异或。 If any individual byte is different, then you have a mismatch and the cipher text its self will be merged normally. 如果任何单个字节不同，那么您将不匹配，并且密码文本将自动合并。

A block cipher in ECB mode could also be used, where the smallest mismatch would be 1 block in size, so it would be ideal to use small blocks. 也可以使用ECB模式的分组密码，其中最小的不匹配大小为1个块，因此使用小块是理想的。 CBC mode on the other hand can produce widely different cipher text for each revision and thus is undesirable. 另一方面，CBC模式可以为每个修订产生广泛不同的密文，因此是不希望的。

I recognize that this isn't very secure, OFB and ECB modes shouldn't normally be used as they are weaker than CBC mode. 我认识到这不是很安全，通常不应使用OFB和ECB模式，因为它们比CBC模式弱。 The sacrifice of the IV is also undesirable. IV的牺牲也是不希望的。 Further more it isn't clear what attack is being defended against. 此外，还不清楚正在捍卫什么样的攻击。 Where as using something like SVN+HTTPS is very common and also secure. 使用像SVN + HTTPS这样的东西很常见也很安全。 My post is merely stating that it is possible to do this efficiently. 我的帖子只是声明可以有效地做到这一点。

为什么不在加密文件系统上设置repo（subversion，mercurial等），并仅使用ssh进行连接？

Use rsyncrypto to encrypt files from your plaintext directory to your encrypted directory, and decrypt files from your encrypted directory and your plaintext directory, using keys that you keep locally. 使用rsyncrypto将文件从明文目录加密到加密目录，并使用本地保存的密钥解密加密目录和纯文本目录中的文件。

Use your favorite version control system (or any other version control system -- svn, git, mercurial, whatever) to synchronize between your encrypted directory and the remote host. 使用您喜欢的版本控制系统（或任何其他版本控制系统 - svn，git，mercurial等）在您的加密目录和远程主机之间进行同步。

The rsyncrypto implementation you can download now from Sourceforge not only handles changes in bytes, but also insertions and deletions. 您现在可以从Sourceforge下载的rsyncrypto实现不仅可以处理字节更改，还可以处理插入和删除。 It implements an approach very similar to the approach that that "The Rook" mentions. 它实现了一种非常类似于“The Rook”提到的方法的方法。

Single-byte insertions, deletions, and changes in a plaintext file typically cause rsyncrypto to make a few K of completely different encrypted text around the corresponding point in the encrypted version of that file. 明文文件中的单字节插入，删除和更改通常会导致rsyncrypto在该文件的加密版本中的相应点周围生成几K个完全不同的加密文本。

Chris Thornton points out that ssh is one good solution; 克里斯桑顿指出，ssh是一个很好的解决方案; rsyncrypto is a very different solution. rsyncrypto是一个非常不同的解决方案。 The tradeoff is: 权衡是：

using rsyncrypto requires transferring a few K for each "trivial" change rather than the half-aK it would take using ssh (or on a unencrypted system). 使用rsyncrypto需要为每个“微不足道的”更改传输几个K而不是使用ssh（或在未加密的系统上）使用的半个aK。 So ssh is slightly faster and requires slightly less "diff" storage than rsyncrypto. 所以ssh稍微快一点，并且需要比rsyncrypto稍微少一点的“diff”存储。
using ssh and a standard VCS requires the server to (at least temporarily) have the keys and decrypt the files. 使用ssh和标准VCS要求服务器（至少暂时）拥有密钥并解密文件。 With rsyncrypto, all encryption keys never leave the local computer. 使用rsyncrypto，所有加密密钥都不会离开本地计算机。 So rsyncrypto is slightly more secure. 所以rsyncrypto稍微安全一些。

You could use a Tahoe-LAFS grid to store your files. 您可以使用Tahoe-LAFS网格来存储文件。 Since Tahoe is designed as a distributed file system, not a versioning system, you'd probably need to use another versioning scheme on top of the file system. 由于Tahoe被设计为分布式文件系统，而不是版本控制系统，因此您可能需要在文件系统之上使用另一种版本控制方案。

Edit: Here's a prototype extension to use Tahoe-LAFS as the backend storage for Mercurial . 编辑：这是一个原型扩展，使用Tahoe-LAFS作为Mercurial的后端存储。

SVN have built-in support for transferring data securely. SVN内置支持安全传输数据。 If you use svnserve, then you can access it securely using ssh. 如果您使用svnserve，则可以使用ssh安全地访问它。 Alternatively you can access it through the apache server using https. 或者，您可以使用https通过apache服务器访问它。 This is detailed in the svn documentation . 这在svn文档中有详细说明。

What specifically are you trying to guard against? 具体你要防范什么？

Use Subversion ssh or https for the repo access. 使用Subversion ssh或https进行repo访问。 Use an encrypted filesystem on the clients. 在客户端上使用加密的文件系统。

Have a look at GIT. 看看GIT。 It supports various hooks that might do the job. 它支持可能完成这项工作的各种钩子。 See, git encrypt/decrypt remote repository files while push/pull . 请参阅，推/拉时git加密/解密远程存储库文件。

Have you thought of using Duplicity? 你有没有想过使用Duplicity？ It's like rdiff-backup (delta backups) but encrypted? 它就像rdiff-backup（增量备份）但加密了？ Not really version control - but maybe you want all the cool diff stuff but don't want to work with anyone else. 不是真正的版本控制 - 但也许你想要所有酷炫的差异，但不想与其他人合作。 Or, just push/pull from a local Truecrypt archive and rsync it to a remote location. 或者，只需从本地Truecrypt存档推送/拉出并将其同步到远程位置即可。 rsync.net has a nice description of both - http://www.rsync.net/resources/howto/duplicity.html http://www.rsync.net/products/encrypted.html - apparently Truecrypt containers still rsync well. rsync.net有两个很好的描述 - http://www.rsync.net/resources/howto/duplicity.html http://www.rsync.net/products/encrypted.html - 显然Truecrypt容器仍然很好。

Variant A 变式A.

Use a distributed VCS and transport changes direct between different clients over encrypted links. 使用分布式VCS并通过加密链接在不同客户端之间直接传输更改。 In this scenario is no attackable central server. 在这种情况下，没有可攻击的中央服务器。

For example with mercurial you can use the internal web server, and connect the clients via VPN. 例如，使用mercurial，您可以使用内部Web服务器，并通过VPN连接客户端。 Or you can bundle the change sets and distribute them with encrypted mails. 或者，您可以捆绑更改集并使用加密邮件进行分发。

Variant B 变体B

You can export an encrypted hard drive partition over the network and mount it on the client side, and run the VCS on the client side. 您可以通过网络导出加密的硬盘驱动器分区并将其安装在客户端，并在客户端运行VCS。 But this approach has lot's of problems, like: 但这种方法存在很多问题，例如：

possible data loss when two different clients try to access the VCS at the same time 当两个不同的客户端同时尝试访问VCS时可能会丢失数据
the link itself must be secured against fraudulent write access (when the partition is shared via NFS it is very likely to end with a configuration where anyone can write to the shared partition, so even when there is no way for others to read the content, there is easily a hole to destroy the content) 必须保护链接本身免受欺诈性写入访问（当通过NFS共享分区时，很可能以任何人都可以写入共享分区的配置结束，因此即使其他人无法读取内容，容易破坏内容的一个洞）

There might be also other problems with variant B, so forget variant B. 变体B可能还有其他问题，所以忘记变体B.

Variant C 变体C.

Like @Commodore Jaeger wrote, use a VCS on top of an encryption-aware network file system like AFS . 像@Commodore Jaeger写的那样，在像AFS这样的加密感知网络文件系统之上使用VCS。

Similar to some comments above, a useful workaround may be to encrypt&zip the whole repository locally and synchronize it with the remote box. 与上面的一些注释类似，一个有用的解决方法可能是在本地加密和压缩整个存储库并将其与远程框同步。 Eg when using git, the whole repository is stored in directory '.git' within the project dir. 例如，当使用git时，整个存储库存储在项目目录中的目录“.git”中。

zip/encrypt the whole project dir zip /加密整个项目目录
upload it to a server (unsure if handling .git alone is sufficient) 将其上传到服务器（不确定单独处理.git是否足够）
before you continue working on the project download this archive 在继续处理项目之前，请下载此存档
decrypt/unpack and sync with git (locally) 解密/解压缩并与git同步（本地）

This can be done with a simple shell line script more comfortable. 这可以通过简单的shell行脚本来完成。

pro: You can use whatever encryption is appropriate as well as every VCS which supports local repositories. pro：您可以使用任何适当的加密以及支持本地存储库的每个VCS。

cons: lacks obviously some VCS features when several people want to upload their code base (the merge situation) - although, perhaps, this could be fixed by avoiding overwrite remotely and merging locally (which introduces locking, this is where the nightmare starts) 缺点：当几个人想要上传他们的代码库（合并情况）时，显然缺少一些VCS功能 - 尽管也许这可以通过避免远程覆盖和本地合并来解决（这引入了锁定，这就是噩梦开始的地方）

Nevertheless, this solution is a hack, not a proper solution. 然而，这个解决方案是一个黑客，而不是一个合适的解决方案。

Source safe stores data in Encrypted files. 源安全性将数据存储在加密文件中。 Wait, I take that back. 等等，我把它拿回来。 They're obfuscated. 他们被混淆了。 And there's no other security other than a front door to the obfuscation. 除了混淆的前门之外，没有其他安全措施。

C'mon, it's monday. 来吧，这是星期一。

基于我的理解，这是不可能的，因为在SVN和其他版本控制系统中，服务器需要访问明文才能执行版本控制。