encryptiongit-annexhttp://git-annex.branchable.com/encryption/git-annexikiwiki2021-04-18T15:40:55Zcomment 1http://git-annex.branchable.com/encryption/comment_1_4257e3c4ae559f1c0595a903f738fd7e/Giovanni2015-03-10T22:16:09Z2015-03-10T22:16:09Z
<p>I have a gcrypt special remote encrypted in hybrid mode, when I try to add a keyid using:</p>
<pre><code> git annex enableremote myremote keyid+=XXXXXXXX
</code></pre>
<p>I get this error:</p>
<pre><code> enableremote myremote (encryption update) (hybrid cipher with gpg keys XXXXXXXX XXXXXXX) fatal: remote myremote already exists.
git-annex: git [Params "remote add",Param "myremote",Param "gcrypt::XXXXXXXXXXX:gcrypt-tests"] failed
</code></pre>
<p>this is my git-annex version info:</p>
<pre><code> git-annex version: 5.20141125
build flags: Assistant Webapp Webapp-secure Pairing Testsuite S3 WebDAV Inotify DBus DesktopNotify XMPP DNS Feeds Quvi TDFA CryptoHash
key/value backends: SHA256E SHA1E SHA512E SHA224E SHA384E SKEIN256E SKEIN512E SHA256 SHA1 SHA512 SHA224 SHA384 SKEIN256 SKEIN512 WORM URL
remote types: git gcrypt S3 bup directory rsync web webdav tahoe glacier ddar hook external
local repository version: 5
supported repository version: 5
upgrade supported from repository versions: 0 1 2 4
</code></pre>
<p>am I doing something wrong? thank you Giovanni</p>
comment 2http://git-annex.branchable.com/encryption/comment_2_5c2da865082de475254ebfd53feb2d0a/joey2015-07-06T19:58:57Z2015-07-06T19:57:12Z
<p>@Giovanni, git is complaining that there is already a remote named
"myremote" enabled in the current repository. Perhaps you have reused this
name for a different remote.</p>
<p>(This seems to have nothing to do with the page the comment was posted to, which
is a bit annoying. Please post questions in the forum and not attached to
random other pages.)</p>
Listing GPG keys enabled for a remote with hybrid encryptionhttp://git-annex.branchable.com/encryption/comment_3_46e64e4856975706e06e2a012a5d8f67/whlabratz2015-09-15T22:37:35Z2015-09-15T22:37:35Z
Is there a straight-forward way to list which GPG keys are enabled for a particular remote?
listing gpg keyshttp://git-annex.branchable.com/encryption/comment_4_fe8b181adef9a39a039ff96a0d587188/joey2015-09-17T21:21:02Z2015-09-17T17:01:38Z
<p>Run "git annex info specialremote" and it will describe the encryption
settings of the remote, including gpg keys where applicable.</p>
<p>Needs a fairly recent git-annex. <code>git show git-annex:remote.log</code> can
also be used.</p>
Shared key - how many keys?http://git-annex.branchable.com/encryption/comment_5_5c9897663aaa83ca39a7e8cb292a3fd1/gavinwahl2016-04-03T03:43:58Z2016-04-03T03:43:58Z
<p>In shared mode, is a single key used to encrypt every file in the repository? Or is a new key created for each file?</p>
<p>Shared mode has the properties I need - getting access to the git repo should give you access to all the content. BUT, if one loses access to updates to the git repo, they should not have access to files added after they lost access.</p>
comment 6http://git-annex.branchable.com/encryption/comment_6_1756ce62906586f876a3491e5d9befde/joey2016-04-04T19:44:31Z2016-04-04T18:48:34Z
<p>@gavinwahl, it's a single shared key that any clone of the repository
provides access to.</p>
<p>If you use the <span class="createlink"><a href="http://git-annex.branchable.com/ikiwiki.cgi?do=create&from=encryption%2Fcomment_6_1756ce62906586f876a3491e5d9befde&page=tahoe" rel="nofollow">?</a>tahoe</span> special remote, storing files in tahoe-lafs does result
in a new capability (a kind of key) being stored in the git repo.
So someone with an old clone can't access the files from tahoe-lafs.
Tahoe is unique in providing that ability.</p>
Workflow for adding a keyid in hybrid-enc lateron and re-encrypting? http://git-annex.branchable.com/encryption/comment_8_3849eb24c3682644e263bae107747dee/joern.mankiewicz2017-03-21T22:08:30Z2017-03-21T22:08:30Z
<p>Hi folks!</p>
<p>We are considering introducing git-annex with gcrypt in hybrid mode as secure storage for common data in our company and I'd rather not delete and reinit the repo everytime when somebody new is granted access.
A little testing with current git-annex showed, that GCRYPT_FULL_REPACK with a forced git-push of all branches makes the git-repo accessible (I get the files) to the newcomer but not the annexed data (gpg error "No secret key" in git annex get, git annex info secretRepo just lists my first key).</p>
<p>Has anybody sucessfully tested adding keyids in hybrid-encryption later on? Which further steps where needed to make it work?</p>
<p>Thanks for any input! <img src="http://git-annex.branchable.com/smileys/smile.png" alt=":)" /></p>
<p>Cheers</p>
<p>Jörn</p>
comment 8http://git-annex.branchable.com/encryption/comment_8_66e81e89fd483ca95620522b0f63c4fd/joey2017-04-07T18:11:00Z2017-04-07T16:52:59Z
<p>@joern.mankiewicz, I see you found a bug and filed it, so will answer in
the but report.</p>
<p>Barring bugs, adding another gpg key to a hybrid encryption special remote
is as simple as <code>git annex enableremote $theremote keyid+=$newkey</code></p>
Encrypt to different subkeys?http://git-annex.branchable.com/encryption/comment_9_5ca10891d642392aaff342c1478b0550/Yurt2017-05-16T20:25:01Z2017-05-16T20:25:01Z
<p>Is it possible to encrypt with subkeys. I have a few subkeys distributed to different computers and I'd like to be able to sync to a special remote with all of them. Right now, if the master key is stripped, I get an error from gpg.</p>
<p>I do this exact thing with password-store. Appending "!" to the subkey id should force gpg to use that specific key: <a href="https://lists.zx2c4.com/pipermail/password-store/2014-September/001131.html">https://lists.zx2c4.com/pipermail/password-store/2014-September/001131.html</a>.</p>
comment 10http://git-annex.branchable.com/encryption/comment_10_6416ee43ffad1c306ef71247ae71a6c5/joey2017-05-24T18:08:06Z2017-05-24T17:47:46Z
<p>@Yurt, git-annex will let you specify the gpg key id using anything that gpg
accepts, including a keyid with a appended '!'. However, when I tried that,
gpg seemed to still pick the master key instead of the subkey. That
happens because git-annex runs the input through <code>gpg --list-public-keys</code>
(in order to convert eg, email addresses to key ids)
which always lists the master key even when given a subkey.</p>
<p>I made a small change to git-annex to special case this '!' suffix
behavior. Seems to work in my very limited testing.</p>
<p>Please file bug reports about this kind of thing!</p>
headless configshttp://git-annex.branchable.com/encryption/comment_11_30b926fbabe9a0089de1f55f6f9a5d2d/anarcat2018-05-17T21:02:32Z2018-05-17T21:02:32Z
<p>is there some combination of this and the gcrypt special remote that would give me the following properties:</p>
<ol>
<li>password-less operation (ie. allow uploading content without the private key)</li>
<li>easy revocation and key rotation (ie. not encrypt directly with GnuPG but instead encrypt a keyfile with the public keys)</li>
</ol>
<p>It seems to me this would be technically possible, no? A mix of "hybrid" and "sharedpubkey", basically...?</p>
<p>Hybrid works great, except I can't use it in my scenario because I am trying to automate backups and it will prompt me for the private key password. I guess the solution here is to have a special unencrypted private key for the batch job? Thanks! -- [[anarcat]</p>
Option to disable filename encyprtionhttp://git-annex.branchable.com/encryption/comment_12_51fd19bf174906b1dd1461efd6ce3798/johannes2019-01-21T15:42:51Z2018-12-29T01:13:20Z
Are there plans to have a mac=PLAIN/NONE option?
Can I manually decrypt my files?http://git-annex.branchable.com/encryption/comment_13_44c6a401526a6ee22d5f0316336d453b/datamanager2021-04-13T20:04:31Z2021-04-13T20:04:31Z
<p>I have a dropbox remote configured, and <code>git annex copy/move/get/etc</code> all seem to work just fine. I have hybrid encryption enabled on the remote, using my gpg key. So I thought, what if I were to download the encrypted file, and attempt to decrypt it locally. Would that work?
It didn't work. Maybe I'm doing something wrong? I simply download the file through rclone, or the dropbox interface, and run <code>gpg --decrypt filename....</code> pinentry does ask for my password, but I don't think it's asking for the password to my gpg key. Maybe the file is encrypted twice? Once with my key, and again using a generic password that git-annex knows? I am not sure.
Any help would be appreciated!</p>
comment 1http://git-annex.branchable.com/encryption/comment_14_5832365e198284c93d4a505856932841/joey2021-04-13T20:34:52Z2021-04-13T20:30:33Z
<p>See
<a href="https://git-annex.branchable.com/tips/Decrypting_files_in_special_remotes_without_git-annex/">https://git-annex.branchable.com/tips/Decrypting_files_in_special_remotes_without_git-annex/</a>
for a small shell script that can do it.</p>
hybrid encryptionhttp://git-annex.branchable.com/encryption/comment_14_fb6ec1f42789a62358605e293b678318/Ilya_Shlyakhter2021-04-13T20:30:44Z2021-04-13T20:30:43Z
With <a href="http://git-annex.branchable.com/design/encryption/">hybrid encryption</a>, your gpg key encrypts a symmetric key which then encrypts file content. Try getting the encrypted symmetric key from <a href="http://git-annex.branchable.com/internals/"><code>remote.log</code></a>, decrypting it with your gpg key, then using that to decrypt file content.
replyhttp://git-annex.branchable.com/encryption/comment_16_5dc76b832ae6b1bb7f458bf8e2650e8e/datamanager2021-04-18T15:38:33Z2021-04-18T15:38:33Z
<blockquote><p> Try getting the encrypted symmetric key from remote.log</p></blockquote>
<p>Sorry, but where is that file? <code>find ./ -type f -name *.log</code> doesn't show me anything in this repository.</p>
comment 17http://git-annex.branchable.com/encryption/comment_17_a2195a298f65e427fe8460c8bc380f99/Ilya_Shlyakhter2021-04-18T15:40:55Z2021-04-18T15:40:55Z
It’s on the git-annex branch. See <a href="http://git-annex.branchable.com/internals/">internals</a>.