git-remote-gcrypt adds support for encrypted remotes to git. The git-annex gcrypt special remote allows git-annex to also store its files in such repositories. Naturally, git-annex encrypts the files it stores too, so everything stored on the remote is encrypted.

Here are some ways you can use this awesome stuff..

This page will show how to set it up at the command line, but the git-annex assistant can also be used to help you set up encrypted git repositories.


encrypted backup drive

Let's make a USB drive into an encrypted backup repository. It will contain both the full contents of your git repository, and all the files you instruct git-annex to store on it, and everything will be encrypted so that only you can see it.

First, you need to set up a gpg key. You might consider generating a special purpose key just for this use case, since you may end up wanting to put the key on multiple machines that you would not trust with your main gpg key.

You need to tell git-annex the keyid of the key when setting up the encrypted repository:

git init --bare /mnt/encryptedbackup
git annex initremote encryptedbackup type=gcrypt gitrepo=/mnt/encryptedbackup keyid=$mykey
git annex sync encryptedbackup

Now you can copy (or even move) files to the repository. After sending files to it, you'll probably want to do a sync, which pushes the git repository changes to it as well.

git annex copy --to encryptedbackup ...
git annex sync encryptedbackup

Note that if you lose your gpg key, it will be impossible to get the data out of your encrypted backup. You need to find a secure way to store a backup of your gpg key. Printing it out and storing it in a safe deposit box, for example.

You can actually specify keyid= as many times as you like to allow any one of a set of gpg keys to access this repository. So you could add a friend's key, or another gpg key you have.

To restore from the backup, just plug the drive into any machine that has the gpg key used to encrypt it, and then:

git clone gcrypt::/mnt/encryptedbackup restored
cd restored
git annex enableremote encryptedbackup gitrepo=/mnt/encryptedbackup
git annex get --from encryptedbackup

encrypted git-annex repository on a ssh server

If you have a ssh server that has rsync installed, you can set up an encrypted repository there. Works just like the encrypted drive except without the cable.

First, on the server, run:

git init --bare encryptedrepo

(Also, install git-annex on the server if it's possible & easy to do so. While this will work without git-annex being installed on the server, it is recommended to have it installed.)

Now, in your existing git-annex repository, set up the encrypted remote:

git annex initremote encryptedrepo type=gcrypt gitrepo=ssh://my.server/home/me/encryptedrepo keyid=$mykey
git annex sync encryptedrepo

If you're going to be sharing this repository with others, be sure to also include their keyids, by specifying keyid= repeatedly.

Now you can copy (or even move) files to the repository. After sending files to it, you'll probably want to do a sync, which pushes the git repository changes to it as well.

git annex copy --to encryptedrepo ...
git annex sync encryptedbackup

Anyone who has access to the repo it and has one of the keys used to encrypt it can check it out:

git clone gcrypt::ssh://my.server/home/me/encryptedrepo myrepo
cd myrepo
git annex enableremote encryptedrepo gitrepo=ssh://my.server/home/me/encryptedrepo
git annex get --from encryptedrepo

private encrypted git remote on hosting site

You can use gcrypt to store your git repository in encrypted form on any hosting site that supports git. Only you can decrypt its contents. Using it this way, git-annex does not store large files on the hosting site; it's only used to store your git repository itself.

git remote add encrypted gcrypt::ssh://hostingsite/myrepo.git
git push encrypted master git-annex

Now you can carry on using git-annex with your new repository. For example, git annex sync will sync with it.

To check out the repository from the hosting site, use the same gcrypt:: url you used when setting it up:

git clone gcrypt::ssh://hostingsite/myrepo.git

multiuser encrypted git remote on hosting site

Suppose two users want to share an encrypted git remote. Both of you need to set up the remote, and configure gcrypt to encrypt it so that both of you can see it.

git remote add sharedencrypted gcrypt::ssh://hostingsite/myrepo.git
git config remote.sharedencrypted.gcryt-participants "$mykey $friendkey"
git push sharedencrypted master git-annex