todo/encrypt only the credentialsgit-annexhttp://git-annex.branchable.com/todo/encrypt_only_the_credentials/git-annexikiwiki2019-01-21T15:42:51Zcomment 1http://git-annex.branchable.com/todo/encrypt_only_the_credentials/comment_1_7c3911e8fbc981c7e1f32b1464ce4122/joey2019-01-21T15:42:51Z2018-12-04T17:18:19Z
<p>I agree it would make sense to have some way to embedcreds without
encrypting content stored on the remote.</p>
<p>I suppose one way to express it is as encryption=onlycreds embedcreds=yes
with one or more keyids.</p>
<p>Note that the tahoe special remote supports embedcreds,
but disallows setting any encryption (because tahoe handles that)
so the creds can only be stored in the clear currently. It would make sense for
tahoe to support encryption=onlycreds while disallowing other encryption
methods.</p>
<hr />
<p>As for storing creds locally only in encrypted form, it would suffice to
have an option that makes git-annex not write anything to
.git/annex/creds/, so it would not use those files as a cache, and would
pull the creds out of the repository and decrypt each time needed
(or use environment varibles for creds when applicable.) In some cases
that would cause more gpg prompts. I think that S3 and WebDAV special
remotes only call getRemoteCredPair once per run, but external may
call it repeatedly, and glacier calls it once per request.</p>
<p>Implemented as annex.cachecreds.</p>
comment 2http://git-annex.branchable.com/todo/encrypt_only_the_credentials/comment_2_76fdfa927562d33dfea9630b3b729220/Ilya_Shlyakhter2019-01-21T15:42:51Z2018-12-04T18:40:01Z
thanks! "that would cause more gpg prompts" -- wouldn't gpg-agent prevent that?
comment 3http://git-annex.branchable.com/todo/encrypt_only_the_credentials/comment_3_6f0ba120ef655d5250fdf3db53464fe6/joey2019-01-21T15:42:51Z2018-12-04T19:20:11Z
<p>Yes, gpg-agent is why I'm not stressing the potential extra gpg use by that
setting.</p>