search

gitbucket / gitbucket

A Git platform powered by Scala with easy installation, high extensibility & GitHub API compatibility
https://gitbucket.github.io/
Apache License 2.0
9.16k stars 1.25k forks source link

Repo encryption support! #352

Open werne opened 10 years ago

werne commented 10 years ago

Add support to be able to encrypt the entire GIT Repo. https://www.agwa.name/projects/git-crypt/

The main reason is that small teams will more often host the GitBucket application on 3rd party servers so this would be really critical.

Since GitBucket also has H2 DB part, there also a related issue to it: #68

tnx.

hanxue commented 10 years ago

git-crypt does not actually encrypt the whole git repository, you will have to list individual files, or specific filters for it to work

secretfile1 filter=git-crypt diff=git-crypt
secretfile2 filter=git-crypt diff=git-crypt
*.secret filter=git-crypt diff=git-crypt

Furthermore, the git-crypt author specifically recommend not to encrypt the whole repository

git-crypt is not designed to encrypt an entire repository. Not only does that defeat the aim of git-crypt, which is the ability to selectively encrypt files and share the repository with less-trusted developers, there are probably better, more efficient ways to encrypt an entire repository, such as by storing it on an encrypted filesystem. Also note that git-crypt is somewhat of an abuse of git's smudge, clean, and textconv features. Junio Hamano, git's maintainer, has said not to do this,

Have you considered creating an encrypted filesystem and storing your git repository there instead?

hrj commented 10 years ago

Filesystem encryption may not be a suitable solution for all types of attacks, especially on a server.

If a server is compromised to allow an attacker to read the filesytem, then an encrypted filsystem that is mounted permanently will be accessible to the attacker (assuming the attacker gets the appropriate file-access permissions).

However, if a server process is encrypting/decrypting in its process-memory, then an attacker has a lower chance of reading the decrypted contents, because reading other processes memory contents requires super-user privileges.

Hence, I think encrypting the filesystem that contains the git repo is not sufficient by itself. A process-local encryption would give added security.

werne commented 10 years ago

@hanxue git-crypt was just an example. Others:

http://git-annex.branchable.com/tips/fully_encrypted_git_repositories_with_gcrypt/ https://github.com/shadowhand/git-encrypt

The main issue still remains: as long as it's not possible to securely enough protect the content of GitBucket, users won't install it on 3rd party servers.

@hrj GitBucket is running as a process, so it might be the right place.