Is it possible to add an option, for initremote/enableremote, to encrypt the credentials but not the contents? Then it would be possible to have an exporttree remote while using embedcreds. It would also be good if locally stored credentials could be stored in encrypted form, and decrypted for use as needed. I'm uneasy about keeping credentials accessible without a passphrase.
I agree it would make sense to have some way to embedcreds without encrypting content stored on the remote.
I suppose one way to express it is as encryption=onlycreds embedcreds=yes with one or more keyids.
Note that the tahoe special remote supports embedcreds, but disallows setting any encryption (because tahoe handles that) so the creds can only be stored in the clear currently. It would make sense for tahoe to support encryption=onlycreds while disallowing other encryption methods.
As for storing creds locally only in encrypted form, it would suffice to have an option that makes git-annex not write anything to .git/annex/creds/, so it would not use those files as a cache, and would pull the creds out of the repository and decrypt each time needed (or use environment varibles for creds when applicable.) In some cases that would cause more gpg prompts. I think that S3 and WebDAV special remotes only call getRemoteCredPair once per run, but external may call it repeatedly, and glacier calls it once per request.
Implemented as annex.cachecreds.
Yes, gpg-agent is why I'm not stressing the potential extra gpg use by that setting.
Hi Joey,
I am also in need of the
encryption=credsonlyoption for the LTO tape special remote on which I am currently working.LTO tape drives provide hardware-based AES encryption which I would like to use. However, to enable this HW-accellerated encryption, I need to initialize the tape drive with an appropriate key, which I would like to store in the annex using credentials.
I think I was assuming that encryption=onlycreds would use the same scheme as encryption=hybrid, so new gpg keys can later be given access to the creds.
It might be possible that someone would want the equivilant of encryption=pubkey instead. (encryption=sharedpubkey is the same as encryption=pubkey as far as encryption of creds goes).
In future there might be some other, better encryption scheme that might be desirable to use only for creds. Eg, something other than gpg..
An alternative to support such would be to use:
I've implemented onlyencryptcreds=yes.
Note that this bug needs to be addressed to avoid some foot shooting with this new option: prevent enableremote changing encryption Since the foot shooting is no worse that previously possible foot shooting shown in that bug, I went ahead and added this new feature before addressing that bug.
Hi Joey,
thank you very mich for the quick implementation of this feature! I have tested it already successfully
There seems to be an minor issue when I am trying to set
encryptonlycreds=yesviaSETCONFIG, followed by a subsequentSETCREDS:I am not sure if this is even supposed to be supported? Let me know if I am using it in the wrong way