Encryption of important files in Git
Suppose we store data on some remote server in the Bare-repository.
If there are doubts about the honesty of the server staff, or we fear that someone will support our project, you can encrypt selected secret files that represent the company's most secret technologies and thus make it difficult to clone the project.
I will not discuss the reconciliation of the method described below with the policy and licensing agreement of free Git repositories (a la GitHub) - this is a matter of particulars and your conscience.
In the implementation, we use .gitattributes, staging, filters (filters) and chapter 7.2 of Pro Git Book.
')
This is how we will do it.
There are two important states for us:
State A.
State B.
State A - when you made a sample (git checkout) and work with your working copy - at this moment the files should be decrypted and in readable state. This phase is controlled by the stage filter.
State B - when changes to your working copy are prepared to be sent to the repository (git add) - at this point the files should be encrypted before being sent to the repository. This phase is controlled by the clean filter.
Usually the stage & clean phases are used for something more peaceful, for example, formatting (indent) of source codes according to your tastes and combing them under the standards accepted by the organization when sending back.
Before sending to the repository (local or remote) and to obtain readable secret project files, it is necessary to prepare on the developer's machine.
Add a description of the filters in ~ / .gitconfig:
In our home directory we have two scripts.
Replace SecurePassword with your password. Choose to your taste the encryption method available in your OpenSSL build library. We used rc5.
~ / git_encode.pl:
~ / git_decode.pl:
Install the execution right (on the command line) for these scripts:
In the working directory we connect the protection to the required files.
.gitattributes:
Now, when sent to the repository, the selected files will pass through the encryptor, and when retrieved through the decrypter.
So that Git doesn’t think every time that the files have changed, make sure that the crypter doesn’t "salted" (salted) files (use the -nosalt option).
If there are doubts about the honesty of the server staff, or we fear that someone will support our project, you can encrypt selected secret files that represent the company's most secret technologies and thus make it difficult to clone the project.
I will not discuss the reconciliation of the method described below with the policy and licensing agreement of free Git repositories (a la GitHub) - this is a matter of particulars and your conscience.
In the implementation, we use .gitattributes, staging, filters (filters) and chapter 7.2 of Pro Git Book.
')
This is how we will do it.
There are two important states for us:
State A.
State B.
State A - when you made a sample (git checkout) and work with your working copy - at this moment the files should be decrypted and in readable state. This phase is controlled by the stage filter.
State B - when changes to your working copy are prepared to be sent to the repository (git add) - at this point the files should be encrypted before being sent to the repository. This phase is controlled by the clean filter.
Usually the stage & clean phases are used for something more peaceful, for example, formatting (indent) of source codes according to your tastes and combing them under the standards accepted by the organization when sending back.
Before sending to the repository (local or remote) and to obtain readable secret project files, it is necessary to prepare on the developer's machine.
Add a description of the filters in ~ / .gitconfig:
[filter "private"]
clean = ~/git_encode.pl
smudge = ~/git_decode.plIn our home directory we have two scripts.
Replace SecurePassword with your password. Choose to your taste the encryption method available in your OpenSSL build library. We used rc5.
~ / git_encode.pl:
#!/usr/bin/env perl
use strict;
undef $/;
my $data = <STDIN>;
my $tmp = "/tmp/git.encode.$$." . rand() . ".tmp";
local * O;
open(O,">$tmp");
print O $data;
close(O);
print `openssl enc -rc5 -k SecurePassword -nosalt < $tmp`;
unlink($tmp);~ / git_decode.pl:
#!/usr/bin/env perl
use strict;
undef $/;
my $data = <STDIN>;
my $tmp = "/tmp/git.decode.$$." . rand() . ".tmp";
local * O;
open(O,">$tmp");
print O $data;
close(O);
print `openssl enc -d -rc5 -k SecurePassword -nosalt < $tmp`;
unlink($tmp);Install the execution right (on the command line) for these scripts:
chmod +x ~/git_encode.pl ~/git_decode.plIn the working directory we connect the protection to the required files.
.gitattributes:
*.m filter=private
*.h filter=private
*.c filter=private
*.cpp filter=privateNow, when sent to the repository, the selected files will pass through the encryptor, and when retrieved through the decrypter.
So that Git doesn’t think every time that the files have changed, make sure that the crypter doesn’t "salted" (salted) files (use the -nosalt option).
Source: https://habr.com/ru/post/95481/
All Articles