git-remote-gcrypt adds support for encrypted remotes to git. Combine this with git-annex encrypting the files it stores in a remote, and you can fully encrypt all the data stored on a remote.

Here are some ways you can use this awesome stuff..

This page will show how to set it up at the command line, but the git-annex assistant can also be used to help you set up encrypted git repositories.

prerequisites

  • Install git-remote-gcrypt.

  • Set up a gpg key. You might consider generating a special purpose key just for this use case, since you may end up wanting to put the key on multiple machines that you would not trust with your main gpg key.

    The examples below use "$mykey" where you should put your gpg keyid.

encrypted backup drive

Let's make a USB drive into an encrypted backup repository. It will contain both the full contents of your git repository, and all the files you instruct git-annex to store on it, and everything will be encrypted so that only you can see it.

Here's how to set up the encrypted repository:

git init --bare /mnt/encryptedbackup
git annex initremote encryptedbackup type=gcrypt gitrepo=/mnt/encryptedbackup keyid=$mykey
git annex sync encryptedbackup

(Remember to replace "$mykey" with the keyid of your gpg key.)

This uses the gcrypt special remote to encrypt pushes to the git remote, and git-annex will also encrypt the files it stores there.

Now you can copy (or even move) files to the repository. After sending files to it, you'll probably want to do a sync, which pushes the git repository changes to it as well.

git annex copy --to encryptedbackup ...
git annex sync encryptedbackup

Note that if you lose your gpg key, it will be impossible to get the data out of your encrypted backup. You need to find a secure way to store a backup of your gpg key. Printing it out and storing it in a safe deposit box, for example.

You can actually specify keyid= as many times as you like to allow any one of a set of gpg keys to access this repository. So you could add a friend's key, or another gpg key you have.

To restore from the backup, just plug the drive into any machine that has the gpg key used to encrypt it, and then:

git clone gcrypt::/mnt/encryptedbackup restored
cd restored
git annex enableremote encryptedbackup gitrepo=/mnt/encryptedbackup
git annex get --from encryptedbackup

encrypted git-annex repository on a ssh server

If you have a server that has ssh and rsync installed on it, you can set up an encrypted repository there. Works just like the encrypted drive except without the cable.

This example uses rsync urls in a form supported by git-remote-gcrypt since version 1.4. Older versions won't work with the urls used here, consult its documentation if you have to use an old version.

First, on the server, run:

git init --bare encryptedrepo

Now, in your existing git-annex repository, set up the encrypted remote:

git annex initremote encryptedrepo type=gcrypt gitrepo=rsync://my.server/home/me/encryptedrepo keyid=$mykey
git annex sync encryptedrepo

(Remember to replace "$mykey" with the keyid of your gpg key.)

This uses the gcrypt special remote to encrypt pushes to the git remote, and git-annex will also encrypt the files it stores there. Data is transferred using rsync over ssh.

If you're going to be sharing this repository with others, be sure to also include their keyids, by specifying keyid= repeatedly.

Now you can copy (or even move) files to the repository. After sending files to it, you'll probably want to do a sync, which pushes the git repository changes to it as well.

git annex copy --to encryptedrepo ...
git annex sync encryptedbackup

Anyone who has access to the repo it and has one of the keys used to encrypt it can check it out:

git clone gcrypt::rsync://my.server/home/me/encryptedrepo myrepo
cd myrepo
git annex enableremote encryptedrepo gitrepo=rsync://my.server/home/me/encryptedrepo
git annex get --from encryptedrepo

private encrypted git remote on a git-lfs hosting site

Some git repository hosting sites do not support git-annex, but do support the similar git-lfs for storing large files alongside a git repository. git-annex can use the git-lfs protocol to store files in such repositories, and with gcrypt, everything stored in the remote can be encrypted.

First, make a new, empty git repository on the hosting site. Get the ssh clone url for the repository, which might look like "git@github.com:username/somerepo.git"

Then, in your git-annex repository, set up the encrypted remote:

git annex initremote lfstest type=git-lfs url=gcrypt::git@github.com:username/somerepo.git keyid=$mykey

(Remember to replace "$mykey" with the keyid of your gpg key.)

This uses the git-lfs special remote, and the gcrypt:: prefix on the url makes pushes be encrypted with gcrypt.

private encrypted git remote on a git hosting site

You can use gcrypt to store your git repository in encrypted form on any hosting site that supports git. Only you can decrypt its contents. Using it this way, git-annex does not store large files on the hosting site; it's only used to store your git repository itself.

git remote add encrypted gcrypt::ssh://hostingsite/myrepo.git
git push encrypted master git-annex

Now you can carry on using git-annex with your new repository. For example, git annex sync will sync with it.

To check out the repository from the hosting site, use the same gcrypt:: url you used when setting it up:

git clone gcrypt::ssh://hostingsite/myrepo.git

multiuser encrypted git remote on a git hosting site

Suppose two users want to share an encrypted git remote. Both of you need to set up the remote, and configure gcrypt to encrypt it so that both of you can see it.

git remote add sharedencrypted gcrypt::ssh://hostingsite/myrepo.git
git config remote.sharedencrypted.gcryt-participants "$mykey $friendkey"
git push sharedencrypted master git-annex