can Git encrypt/decrypt .gpg on push/fetch?

can Git encrypt/decrypt .gpg on push/fetch?

[Ted Zlatanov]

I need to store some encrypted files in Git but for some clients with
the right GPG keys, decrypt them on checkout (possibly also encrypt them
back on commit, but that's not as important).  

diff doesn't have to work, this is just for convenience.  Can Git do
this (matching only .gpg files) or do I need my own command to run after
the checkout/fetch and before commit?  It seems pretty out of Git's
scope but perhaps others have done this before.

Thanks
Ted

Re: can Git encrypt/decrypt .gpg on push/fetch?

[Aneesh Bhasin]

Hi Ted,


2011/9/9 Ted Zlatanov <tzz@lifelogs.com>
>
> I need to store some encrypted files in Git but for some clients with
> the right GPG keys, decrypt them on checkout (possibly also encrypt them
> back on commit, but that's not as important).
>
> diff doesn't have to work, this is just for convenience.  Can Git do
> this (matching only .gpg files) or do I need my own command to run after
> the checkout/fetch and before commit?  It seems pretty out of Git's
> scope but perhaps others have done this before.
>

Have you looked at git hooks (e.g. here : http://progit.org/book/ch7-3.html).

You could do the encryption/decryption in pre-commit and post-checkout
hooks scripts respectively...

regards,
Aneesh

Re: can Git encrypt/decrypt .gpg on push/fetch?

[Ted Zlatanov]

On Fri, 9 Sep 2011 16:20:10 +0530 Aneesh Bhasin <contact.aneesh@gmail.com> wrote: 

AB> 2011/9/9 Ted Zlatanov <tzz@lifelogs.com>
>> 
>> I need to store some encrypted files in Git but for some clients with
>> the right GPG keys, decrypt them on checkout (possibly also encrypt them
>> back on commit, but that's not as important).
>> 
>> diff doesn't have to work, this is just for convenience.  Can Git do
>> this (matching only .gpg files) or do I need my own command to run after
>> the checkout/fetch and before commit?  It seems pretty out of Git's
>> scope but perhaps others have done this before.
>> 

AB> Have you looked at git hooks (e.g. here : http://progit.org/book/ch7-3.html).

AB> You could do the encryption/decryption in pre-commit and post-checkout
AB> hooks scripts respectively...

Yes, thank you.  I was wondering if there could be further support so
they are checked out in a binary form on the server side if you don't
have the keys but in text form if you do.  So for instance "git log -p"
will DTRT on a client with the keys but not on a client without them.
This could require deep Git changes so I'm wondering if it's even
theoretically possible.

Thanks
Ted

Re: can Git encrypt/decrypt .gpg on push/fetch?

[Michael J Gruber]

Aneesh Bhasin venit, vidit, dixit 09.09.2011 12:50:
> Hi Ted,
> 
> 
> 2011/9/9 Ted Zlatanov <tzz@lifelogs.com>
>>
>> I need to store some encrypted files in Git but for some clients with
>> the right GPG keys, decrypt them on checkout (possibly also encrypt them
>> back on commit, but that's not as important).
>>
>> diff doesn't have to work, this is just for convenience.  Can Git do
>> this (matching only .gpg files) or do I need my own command to run after
>> the checkout/fetch and before commit?  It seems pretty out of Git's
>> scope but perhaps others have done this before.
>>
> 
> Have you looked at git hooks (e.g. here : http://progit.org/book/ch7-3.html).
> 
> You could do the encryption/decryption in pre-commit and post-checkout
> hooks scripts respectively...

I'd recommend textconv for diffing and clean/smudge for plaintext
checkout. That is, there are two convenient versions:

A) Keep blobs and checkout encrypted
- Use an editor which can encrypt/decrypt on the fly (e.g. vim)
- Use "*.gpg diff=gpg" in your attributes and
[diff "gpg"]
        textconv = gpg -d
  in your config to have cleartext diffs. Use cachetextconv with caution ;)

B) Keep blobs encrypted, checkout decrypted
- Use Use "*.gpg filter=gpg" in your attributes and
[filter "gpg"]
	smudge = gpg -d
	clean = gpg -e -r yourgpgkey
  in your config.

I use A on a regular basis. B is untested (but patterned after a similar
gzip filter I use). You may or may not have better results with "gpg -ea".

On clients without the keys, you can simply leave out the diff or filter
config resp. set them to "cat".

Michael

Re: can Git encrypt/decrypt .gpg on push/fetch?

[Ted Zlatanov]

On Fri, 09 Sep 2011 15:36:29 +0200 Michael J Gruber <git@drmicha.warpmail.net> wrote: 

MJG> Aneesh Bhasin venit, vidit, dixit 09.09.2011 12:50:
>> Hi Ted,
>> 
>> 
>> 2011/9/9 Ted Zlatanov <tzz@lifelogs.com>
>>> 
>>> I need to store some encrypted files in Git but for some clients with
>>> the right GPG keys, decrypt them on checkout (possibly also encrypt them
>>> back on commit, but that's not as important).
>>> 
>>> diff doesn't have to work, this is just for convenience.  Can Git do
>>> this (matching only .gpg files) or do I need my own command to run after
>>> the checkout/fetch and before commit?  It seems pretty out of Git's
>>> scope but perhaps others have done this before.
>>> 
>> 
>> Have you looked at git hooks (e.g. here : http://progit.org/book/ch7-3.html).
>> 
>> You could do the encryption/decryption in pre-commit and post-checkout
>> hooks scripts respectively...

MJG> I'd recommend textconv for diffing and clean/smudge for plaintext
MJG> checkout. That is, there are two convenient versions:

MJG> A) Keep blobs and checkout encrypted
MJG> - Use an editor which can encrypt/decrypt on the fly (e.g. vim)
MJG> - Use "*.gpg diff=gpg" in your attributes and
MJG> [diff "gpg"]
MJG>         textconv = gpg -d
MJG>   in your config to have cleartext diffs. Use cachetextconv with caution ;)

MJG> B) Keep blobs encrypted, checkout decrypted
MJG> - Use Use "*.gpg filter=gpg" in your attributes and
MJG> [filter "gpg"]
MJG> 	smudge = gpg -d
MJG> 	clean = gpg -e -r yourgpgkey
MJG>   in your config.

MJG> I use A on a regular basis. B is untested (but patterned after a similar
MJG> gzip filter I use). You may or may not have better results with "gpg -ea".

MJG> On clients without the keys, you can simply leave out the diff or filter
MJG> config resp. set them to "cat".

That's really helpful, thank you Aneesh and Michael.  Exactly what I was
hoping to achieve.

Ted

Re: can Git encrypt/decrypt .gpg on push/fetch?

[Jeff King]

On Fri, Sep 09, 2011 at 03:36:29PM +0200, Michael J Gruber wrote:

> A) Keep blobs and checkout encrypted
> - Use an editor which can encrypt/decrypt on the fly (e.g. vim)
> - Use "*.gpg diff=gpg" in your attributes and
> [diff "gpg"]
>         textconv = gpg -d
>   in your config to have cleartext diffs. Use cachetextconv with caution ;)

I use something like this for my password store, though I use:

  textconv = gpg -qd --no-tty

to keep things as clean as possible. Running gpg-agent is a must, of
course.

The wallet itself is just a gpg-encrypted YAML file, with a few scripts
grep within the hierarchy. I'm happy to share the code if anybody is
interested. I've also written firefox hooks to fill website form fields,
but that code is a little gross.

> B) Keep blobs encrypted, checkout decrypted
> - Use Use "*.gpg filter=gpg" in your attributes and
> [filter "gpg"]
> 	smudge = gpg -d
> 	clean = gpg -e -r yourgpgkey
>   in your config.
> 
> I use A on a regular basis. B is untested (but patterned after a similar
> gzip filter I use). You may or may not have better results with "gpg -ea".

Yeah, I think that would work but have never tried it either.

-Peff

Re: can Git encrypt/decrypt .gpg on push/fetch?

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

>> B) Keep blobs encrypted, checkout decrypted
>> - Use Use "*.gpg filter=gpg" in your attributes and
>> [filter "gpg"]
>> 	smudge = gpg -d
>> 	clean = gpg -e -r yourgpgkey
>>   in your config.
>> 
>> I use A on a regular basis. B is untested (but patterned after a similar
>> gzip filter I use). You may or may not have better results with "gpg -ea".
>
> Yeah, I think that would work but have never tried it either.

Unless "gpg -e" encrypts the same cleartext into the same cyphertext every
time, the above "clean" filter probably wouldn't be very useful.

Re: can Git encrypt/decrypt .gpg on push/fetch?

[Michael J Gruber]

Junio C Hamano venit, vidit, dixit 09.09.2011 21:05:
> Jeff King <peff@peff.net> writes:
> 
>>> B) Keep blobs encrypted, checkout decrypted
>>> - Use Use "*.gpg filter=gpg" in your attributes and
>>> [filter "gpg"]
>>> 	smudge = gpg -d
>>> 	clean = gpg -e -r yourgpgkey
>>>   in your config.
>>>
>>> I use A on a regular basis. B is untested (but patterned after a similar
>>> gzip filter I use). You may or may not have better results with "gpg -ea".
>>
>> Yeah, I think that would work but have never tried it either.
> 
> Unless "gpg -e" encrypts the same cleartext into the same cyphertext every
> time, the above "clean" filter probably wouldn't be very useful.
> 

Uh, right, this would only make sense with specific versions of debian's
openssl then. Only that gpg does not use that ;)

I'm not sure whether "gpg --symmetric" has the same issue, but version
A) seemed better before that already.

Michael

Re: can Git encrypt/decrypt .gpg on push/fetch?

[Jeff King]

On Fri, Sep 09, 2011 at 12:05:00PM -0700, Junio C Hamano wrote:

> Jeff King <peff@peff.net> writes:
> 
> >> B) Keep blobs encrypted, checkout decrypted
> >> - Use Use "*.gpg filter=gpg" in your attributes and
> >> [filter "gpg"]
> >> 	smudge = gpg -d
> >> 	clean = gpg -e -r yourgpgkey
> >>   in your config.
> >> 
> >> I use A on a regular basis. B is untested (but patterned after a similar
> >> gzip filter I use). You may or may not have better results with "gpg -ea".
> >
> > Yeah, I think that would work but have never tried it either.
> 
> Unless "gpg -e" encrypts the same cleartext into the same cyphertext every
> time, the above "clean" filter probably wouldn't be very useful.

Ah, right, I remember now running into that at some point. You could get
around that by using a symmetric cipher in block mode, or with a
non-random IV, but then you're opening yourself up to some cryptanalytic
attacks.

-Peff