13

I have a production server (Ubuntu, running 24/7) with a git repository and some client computers each with a working copy of this repository. In the client computers, simply using home folder encryption seems to solve the problem that in case of stolen hardware nobody can access the files in the git.

How can I encrypt the remote side of the git repository to make sure that in case of stolen hardware nobody can reconfigure and clone the git repository?

At first, I thought of encrypting the home directory of the git user, but then I realised that this wouldn't make any sense, since when and by whom should it be decrypted?

Can I put the git repository in my own home directory / link to it so it will only be available when I have logged into the server via SSH? Or is there a similar solution to this problem?

Thanks for any tips in advance!

leemes
  • 301
  • 1
  • 3
  • 10

4 Answers4

6

You could use an ecrypted home directory. You would have to login and manually mount the encrypted drive and provide the decryption key when the server reboots. You can't have the drive automatically mounted for obvious reasons.

stew
  • 9,388
  • 1
  • 30
  • 43
  • Thanks. So you mean encrypt the home directory of user `git`? Since I am not the user git when I login with SSH, how do I mount the ecryptfs then? Or should I login with user git? – leemes May 14 '12 at 19:45
  • (sorry, I only know ecryptfs in an auto configuration since I use Ubuntu on all my computers with encrypted home directories using ecryptfs, and so I never have to worry about any manual commands ;)) – leemes May 14 '12 at 19:47
  • 1
    you could encrypt just a single folder. you would be creating a file on the disk which represents the encrypted filesystem, then if you setup /etc/fstab correctly, it could just be something like running "mount /home/git/repository" which would prompt you for a password. here is a decent writeup of how you might accomplish this: http://h3g3m0n.wordpress.com/2007/04/16/quick-simple-encrypted-loopback-filesystem/ – stew May 14 '12 at 21:00
2

You could use a smudge/clean filter to encrypt the contents of the repository on the remote filesystem: https://gist.github.com/873637

Peter Mounce
  • 1,253
  • 5
  • 16
  • 29
  • That actually encrypts the _local_ repository as well – Tobias Kienzler Oct 11 '12 at 06:22
  • 3
    Try https://github.com/AGWA/git-crypt instead -- uses CTR mode and understands crypto rather better; it leaves the local repo unencrypted in the working tree, via the smudge/clean filters. – Phil P Apr 13 '14 at 22:30
2

You could use git-remote-gcrypt to git push and git fetch from the client computers to the server (or anywhere else). Not just the contents but the names of the files and other (all?) repository metadata is encrypted as well.

Kenny Evitt
  • 209
  • 4
  • 12
0

I have not tried it yet, but I'm currently looking at how to use gcrypt for encrypting the content of a git repository: https://github.com/AGWA/git-crypt

It seems really promising. So I'm gonna give it a try today.

Stephane Rolland
  • 449
  • 2
  • 7
  • 14