From 9c433a762db1b20214385a30c0b3b088b7eb4370 Mon Sep 17 00:00:00 2001 From: Danny Berger Date: Tue, 8 Jan 2013 15:46:46 -0700 Subject: [PATCH] add section to post --- .../2013-01-07-secure-git-repositories.md | 81 ++++++++++++++++--- include/site/screen.css | 4 +- 2 files changed, 70 insertions(+), 15 deletions(-) diff --git a/blog/_posts/2013-01-07-secure-git-repositories.md b/blog/_posts/2013-01-07-secure-git-repositories.md index 3ae5795..94a6077 100644 --- a/blog/_posts/2013-01-07-secure-git-repositories.md +++ b/blog/_posts/2013-01-07-secure-git-repositories.md @@ -10,13 +10,13 @@ head ready for me to pull up as needed. It would be much better if that informat even better, if I could follow similar workflows as the rest of my application code. After some research I discovered [gist 873637][2] which discusses using `git`'s clean and smudge [filters][4] to pass -files through `openssl` for decryption and encryption. Soon I found the much more useful [`shadowhand/git-encrypt`][3] -tool. +files through `openssl` for decryption and encryption. The result is `git`'s indexes only containing encrypted file +contents in base64. Soon I found [`shadowhand/git-encrypt`][3]. ### Initial Setup -First, I installed `gitcrypt` on my machine: +First, I did a one-time install of `shadowhand/git-encrypt` on my machine: {% highlight console %} $ git clone git://github.com/shadowhand/git-encrypt.git /usr/local/git-encrypt @@ -24,11 +24,12 @@ $ chmod +x /usr/local/git-encrypt/gitcrypt $ ln -s /usr/local/git-encrypt/gitcrypt /usr/local/bin/gitcrypt {% endhighlight %} -Next, I created a new repo and used `gitcrypt init` with the auto-generated defaults: +Next, I created a new repo and use `gitcrypt init` to set things up: {% highlight console %} -$ mkdir fort-knox ; cd !$ +$ mkdir fort-knox && cd !$ $ git init +Initialized empty Git repository in /private/tmp/fort-knox/.git/ $ gitcrypt init Generate a random salt? [Y/n] Y Generate a random password? [Y/n]Y @@ -40,8 +41,8 @@ salt: 7d9f6cc1512aa2b5 pass: EAC8405A-DD64-43A3-A17F-EB28195B4B1E cipher: aes-256-ecb -Does this look right? [Y/n] -Do you want to use .git/info/attributes? [Y/n] +Does this look right? [Y/n] Y +Do you want to use .git/info/attributes? [Y/n] n What files do you want encrypted? [*] {% endhighlight %} @@ -52,7 +53,7 @@ that, it's ready for me to use like any other `git` repository. ### A Practical Bit Since I won't frequently be setting up this repository, it'd probably be best if I could keep a reminder about what I'll -need to do. So I add a `.gitattributes` file which excludes itself and README from encryption: +need to do. So I update `.gitattributes` to exclude itself and `README` from encryption: {% highlight vim %} * filter=encrypt diff=encrypt @@ -63,12 +64,66 @@ README -filter -diff renormalize=true {% endhighlight %} -And include the necessary commands and reference in the README: +And include the necessary commands and reference in `README`: {% highlight console %} -$ git clone git@github.com:dpb587/fort-knox.git fort-knox ; cd !$ -$ gitcrypt init # https://github.com/shadowhand/git-encrypt -$ git reset --hard HEAD +Remember... + + git clone git@github.com:dpb587/fort-knox.git fort-knox && cd !$ + gitcrypt init # https://github.com/shadowhand/git-encrypt + git reset --hard HEAD +{% endhighlight %} + +So, my first commit looks like: + +{% highlight console %} +$ git add . +$ git commit -m 'initial commit' +[master (root-commit) 1077d71] initial commit + 2 files changed, 7 insertions(+) + create mode 100644 .gitattributes + create mode 100644 README +{% endhighlight %} + + +### Under the Hood + +Originally I was a bit curious and wanted to verify that it's doing what I thought. So I created a simple test file: + +{% highlight console %} +$ date > top-secret.txt +$ cat top-secret.txt +Mon Jan 7 15:11:22 MST 2013 +$ git add top-secret.txt +$ git commit -m 'top secret information' +[master dd2272a] top secret information + 1 file changed, 1 insertion(+) + create mode 100644 top-secret.txt +{% endhighlight %} + +After committing I can look at the raw index data to see what's actually being stored: + +{% highlight console %} +$ git ls-tree HEAD +100644 blob 6a9e000e136a20858f65188f849d0bffed48a685 .gitattributes +100644 blob 2221766ff8694dffa1e11ea5d0e7acd213e22d90 README +100644 blob e847f7c05236ac1111a0f5495da87fec188d5420 top-secret.txt +$ git cat-file -p 2221766ff8694dffa1e11ea5d0e7acd213e22d90 +Remember... + + git clone git@github.com:dpb587/fort-knox.git fort-knox && cd !$ + gitcrypt init # https://github.com/shadowhand/git-encrypt + git reset --hard HEAD +$ git cat-file -p e847f7c05236ac1111a0f5495da87fec188d5420 +U2FsdGVkX199n2zBUSqitTy46rTQ8tytPxnYmmdBahPCL5u1SwnPcYcDN+KFNgom +{% endhighlight %} + +As expected, `README` is readable, but `top-secret.txt` is not. I can manually verify my secret data is still there by +decoding it with my key: + +{% highlight console %} +$ git cat-file -p e847f7c05236ac1111a0f5495da87fec188d5420 | openssl base64 -d -aes-256-ecb -k "EAC8405A-DD64-43A3-A17F-EB28195B4B1E" +Mon Jan 7 15:11:22 MST 2013 {% endhighlight %} @@ -76,7 +131,7 @@ $ git reset --hard HEAD With `gitcrypt` I can work with a repository and enjoy extra security on top of the redundancy and version control that `git` provides. The only difference from my regular repos is I can't really view my files from [github.com][1] (with the -convenient exception of the README). +convenient exception of `README`). [1]: https://github.com/ diff --git a/include/site/screen.css b/include/site/screen.css index ba05f20..97ad6e8 100644 --- a/include/site/screen.css +++ b/include/site/screen.css @@ -125,7 +125,7 @@ h3 { border-bottom: #DEDEDE solid 1px; color: #393939; font-size: 17px; - margin: 28px -4px 10px; + margin: 32px -4px 10px; padding: 0 4px 2px; } @@ -180,7 +180,7 @@ pre { font-family: monaco; font-size: 12px; line-height: 17px; - margin: 14px -2px; + margin: 14px -2px 24px; overflow: auto; padding: 2px 4px; }