{"id":26455133,"url":"https://github.com/generouslabs/git-remote-encrypted","last_synced_at":"2025-03-18T20:30:13.242Z","repository":{"id":54676134,"uuid":"302400196","full_name":"GenerousLabs/git-remote-encrypted","owner":"GenerousLabs","description":null,"archived":false,"fork":false,"pushed_at":"2021-02-08T11:42:48.000Z","size":1887,"stargazers_count":7,"open_issues_count":6,"forks_count":2,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-04-28T16:21:58.537Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GenerousLabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-10-08T16:29:12.000Z","updated_at":"2023-11-23T10:47:56.000Z","dependencies_parsed_at":"2022-08-13T23:40:28.559Z","dependency_job_id":null,"html_url":"https://github.com/GenerousLabs/git-remote-encrypted","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GenerousLabs%2Fgit-remote-encrypted","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GenerousLabs%2Fgit-remote-encrypted/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GenerousLabs%2Fgit-remote-encrypted/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GenerousLabs%2Fgit-remote-encrypted/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GenerousLabs","download_url":"https://codeload.github.com/GenerousLabs/git-remote-encrypted/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244301041,"owners_count":20430856,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-03-18T20:30:12.429Z","updated_at":"2025-03-18T20:30:13.208Z","avatar_url":"https://github.com/GenerousLabs.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# git-remote-encrypted\n\nThis is a monorepo containing several packages which together create an\nencrypted git remote strategy called `git-remote-encrypted`.\n\n**WARNING**: This is very early stage code. It contains bugs, the encryption\nsetup is weak, do not use it for anything which requires high security.\n\n## Architecture\n\nInspired by\n[git-remote-gcrypt](https://spwhitton.name/tech/code/git-remote-gcrypt/)\ngit-remote-encrypted builds a second, encrypted, repository from the first,\nplain text, repository. We'll call these two repositories `source` and\n`encrypted`. On `git push`, every [git\nobject](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) is encrypted\nand then added to the `encrypted` repo. After all the objects have been added,\nthe `encrypted` repo is then pushed to the designated remote. On `git pull` or\n`git fetch`, the `encrypted` repo is pulled, and then any new objects are\ndecrypted and copied into `source`.\n\nThe encryption is deterministic, so if the same git object is encrypted on\ntwo machines, with the same encryption keys, it will produce the same\nencrypted value.\n\nThe file layout is as follows:\n\n- `source/`\n- `source/.git`\n- `source/.git/encrypted` - The `encrypted` repo\n- `source/.git/encrypted-keys/` - The keys used to encrypt / decrypt\n\n## Packages\n\nThis repo contains several packages:\n\n- `git-remote-encrypted` - The git remote helper, this is probably where you\n  want to start if you want to experiment with this code.\n- `isomorphic-git-remote-encrypted` - An extension to\n  [isomorphic-git](https://isomorphic-git.org/) which adds support for\n  encrypted remotes\n- `git-encrypted` - The core encryption / decryption logic\n- `git-remote-helper` - A generic helper to simplify creating git remote\n  helpers\n\n## Development\n\nTo run this code locally, you need to build the `git-remote-helper` and `git-encrypted` packages first. It seems like with yarn v1 there is no way to specify the build order. Bottom line, this should get you running:\n\n- `yarn` - Install the dependencies for all packages\n- `yarn workspace git-remote-helper build` - Build the git-remote-helper package\n- `yarn workspace git-encrypted build` - Build the git-encrypted package\n- `yarn workspaces run build` - Build all packages\n\nNOTE: Linting is currently broken in the `git-encrypted` package. It seems to\nbe related to [this issue](https://github.com/formium/tsdx/issues/926) with\ntsdx. Until this is resolved, please try to ensure your commits are linted\nvia your editor (which hopefully works, at least in VSCode).\n\n## Terminology\n\n- `source` - The cleartext repository\n- `encrypted` - The repository that contains the encrypted version of the\n  objects from `source`\n- `encryptedRemote` - The remote repository that `encrypted` is pulled from and\n  pushed to\n\n## Encryption Scheme\n\n- Symmetric encryption\n- One key to encrypt objects\n- One key to encrypt filenames\n- The object ID is combined with a salt and hashed to produce an encryption\n  nonce\n  - Unclear if this is safe or not. Perhaps a more elaborate password\n    derivation scheme is required.\n  - UPDATE: It [seems](https://github.com/dchest/tweetnacl-js/issues/207)\n    that this approach is secure.\n- The nonce and object key is used to encrypt the object body\n- The same nonce is used to encrypt the filename\n- The nonce and encrypted body are combined\n  - This is saved into a file with the encrypted filename\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgenerouslabs%2Fgit-remote-encrypted","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgenerouslabs%2Fgit-remote-encrypted","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgenerouslabs%2Fgit-remote-encrypted/lists"}