encrypt just the annex on git+annex hosting site

Some git hosting sites (e.g forgejo instances tweaked to support git-annex) can store annexed contents. The goal here would be to encrypt the annexed file contents, but not the git repo. What would it take?

Git-annex encryption can be enabled for special remotes, but in this case there is only a "regular" git remote so there is no way to set the config.

My first intuition was to initialize a type=git special remote pointing to the same location, but it does not support encryption (initremote fails with git-annex: Unexpected parameters: encryption keyid).

There is the gcrypt special remote (and it worked with the forgejo instance I tried), but it encrypts / obfuscates everything (file names, commits etc.) and turns each push into a force push.

The advantage of having the annexed files but not the git repo encrypted is that the file tree, commit history, readme and all the things typically displayed by the site would still be viewable (communicating repository layout, contents), but GPG keys would be used to control practical access (possibly on top of site's access premissions).

Thanks in advance for considering! -- MSz

RSS Atom

👍 +1 for encrypting the annex on regular git remotes

Funny, playing around with my own forgejo-aneksajo instance, I thought about exactly that 😀 Being able to encrypt only the annex but keeping the repo open would be cool.

Comment by nobodyinperson — Thu Sep 12 14:51:20 2024

Remove comment

comment 2

Another place this came up is https://git-annex.branchable.com/design/passthrough_proxy/#index14h2 where a proxy to an encrypted special remote necessarily does encryption server side, but the user may not want the server to see their unencrypted files.

There I suggested "adding a special remote that does its own client-side encryption in front of the proxy". Such a layered special remote could also be used with a git remote. There would be some complexity cost, since you would have two remote names, one used for git and the other for git-annex.

Implementing object encryption in git remotes is certianly possible, but it would be a special case and the existing code for encrypting special remotes (particularly Remote.Helper.Special.specialRemote) would not be able to be reused.

There's also the problem that, if such a git repository is added as a regular remote, and the git-annex branch that indicates that it is encrypted has not yet been pulled, git-annex would not realize that it is supposed to be encrypted, so would send unencrypted objects to it. This seems like an easy situation to accidentially get into eg:

git remote add foo http://example.com/
git annex move --to foo # oops unencrypted

Overall I prefer the idea of layering an encrypted special remote to complicating the git remote with encryption. Enabling that special remote could make git-annex treat the underlying remote as annex-ignore, to prevent accidentially sending unencrypted objects to it.

There could also be situations where you want to store some files unencrypted on a git hosting site to let them be accessible via its UI, but encrypt other files, and the layered special remote also allows for that kind of thing.

Comment by joey — Wed Sep 18 12:17:02 2024

Remove comment

Add a comment