add section to post

2013-01-08 15:46:46 -07:00
parent cbab714c48
commit 9c433a762d
2 changed files with 70 additions and 15 deletions
--- a/blog/_posts/2013-01-07-secure-git-repositories.md
+++ b/blog/_posts/2013-01-07-secure-git-repositories.md
@@ -10,13 +10,13 @@ head ready for me to pull up as needed. It would be much better if that informat
 even better, if I could follow similar workflows as the rest of my application code.
 After some research I discovered [gist 873637][2] which discusses using `git`'s clean and smudge [filters][4] to pass
-files through `openssl` for decryption and encryption. Soon I found the much more useful [`shadowhand/git-encrypt`][3]
+files through `openssl` for decryption and encryption. The result is `git`'s indexes only containing encrypted file
-tool.
+contents in base64. Soon I found [`shadowhand/git-encrypt`][3].
 ### Initial Setup
-First, I installed `gitcrypt` on my machine:
+First, I did a one-time install of `shadowhand/git-encrypt` on my machine:
 {% highlight console %}
 $ git clone git://github.com/shadowhand/git-encrypt.git /usr/local/git-encrypt
@@ -24,11 +24,12 @@ $ chmod +x /usr/local/git-encrypt/gitcrypt
 $ ln -s /usr/local/git-encrypt/gitcrypt /usr/local/bin/gitcrypt
 {% endhighlight %}
-Next, I created a new repo and used `gitcrypt init` with the auto-generated defaults:
+Next, I created a new repo and use `gitcrypt init` to set things up:
 {% highlight console %}
-$ mkdir fort-knox ; cd !$
+$ mkdir fort-knox && cd !$
 $ git init
 Initialized empty Git repository in /private/tmp/fort-knox/.git/
 $ gitcrypt init
 Generate a random salt? [Y/n] Y
 Generate a random password? [Y/n]Y
@@ -40,8 +41,8 @@ salt:   7d9f6cc1512aa2b5
 pass:   EAC8405A-DD64-43A3-A17F-EB28195B4B1E
 cipher: aes-256-ecb
-Does this look right? [Y/n] 
+Does this look right? [Y/n] Y
-Do you want to use .git/info/attributes? [Y/n] 
+Do you want to use .git/info/attributes? [Y/n] n
 What files do you want encrypted? [*] 
 {% endhighlight %}
@@ -52,7 +53,7 @@ that, it's ready for me to use like any other `git` repository.
 ### A Practical Bit
 Since I won't frequently be setting up this repository, it'd probably be best if I could keep a reminder about what I'll
-need to do. So I add a `.gitattributes` file which excludes itself and README from encryption:
+need to do. So I update `.gitattributes` to exclude itself and `README` from encryption:
 {% highlight vim %}
 * filter=encrypt diff=encrypt
@@ -63,12 +64,66 @@ README -filter -diff
    renormalize=true
 {% endhighlight %}
-And include the necessary commands and reference in the README:
+And include the necessary commands and reference in `README`:
 {% highlight console %}
-$ git clone git@github.com:dpb587/fort-knox.git fort-knox ; cd !$
+Remember...
-$ gitcrypt init # https://github.com/shadowhand/git-encrypt
+
-$ git reset --hard HEAD
+    git clone git@github.com:dpb587/fort-knox.git fort-knox && cd !$
    gitcrypt init # https://github.com/shadowhand/git-encrypt
    git reset --hard HEAD
 {% endhighlight %}
 So, my first commit looks like:
 {% highlight console %}
 $ git add .
 $ git commit -m 'initial commit'
 [master (root-commit) 1077d71] initial commit
 2 files changed, 7 insertions(+)
 create mode 100644 .gitattributes
 create mode 100644 README
 {% endhighlight %}
 ### Under the Hood
 Originally I was a bit curious and wanted to verify that it's doing what I thought. So I created a simple test file:
 {% highlight console %}
 $ date > top-secret.txt
 $ cat top-secret.txt 
 Mon Jan  7 15:11:22 MST 2013
 $ git add top-secret.txt
 $ git commit -m 'top secret information'
 [master dd2272a] top secret information
 1 file changed, 1 insertion(+)
 create mode 100644 top-secret.txt
 {% endhighlight %}
 After committing I can look at the raw index data to see what's actually being stored:
 {% highlight console %}
 $ git ls-tree HEAD
 100644 blob 6a9e000e136a20858f65188f849d0bffed48a685	.gitattributes
 100644 blob 2221766ff8694dffa1e11ea5d0e7acd213e22d90	README
 100644 blob e847f7c05236ac1111a0f5495da87fec188d5420	top-secret.txt
 $ git cat-file -p 2221766ff8694dffa1e11ea5d0e7acd213e22d90
 Remember...
    git clone git@github.com:dpb587/fort-knox.git fort-knox && cd !$
    gitcrypt init # https://github.com/shadowhand/git-encrypt
    git reset --hard HEAD
 $ git cat-file -p e847f7c05236ac1111a0f5495da87fec188d5420
 U2FsdGVkX199n2zBUSqitTy46rTQ8tytPxnYmmdBahPCL5u1SwnPcYcDN+KFNgom
 {% endhighlight %}
 As expected, `README` is readable, but `top-secret.txt` is not. I can manually verify my secret data is still there by
 decoding it with my key:
 {% highlight console %}
 $ git cat-file -p e847f7c05236ac1111a0f5495da87fec188d5420 | openssl base64 -d -aes-256-ecb -k "EAC8405A-DD64-43A3-A17F-EB28195B4B1E"
 Mon Jan  7 15:11:22 MST 2013
 {% endhighlight %}
@@ -76,7 +131,7 @@ $ git reset --hard HEAD
 With `gitcrypt` I can work with a repository and enjoy extra security on top of the redundancy and version control that
 `git` provides. The only difference from my regular repos is I can't really view my files from [github.com][1] (with the
-convenient exception of the README).
+convenient exception of `README`).
 [1]: https://github.com/
--- a/include/site/screen.css
+++ b/include/site/screen.css
@@ -125,7 +125,7 @@ h3 {
    border-bottom: #DEDEDE solid 1px;
    color: #393939;
    font-size: 17px;
-    margin: 28px -4px 10px;
+    margin: 32px -4px 10px;
    padding: 0 4px 2px;
 }
@@ -180,7 +180,7 @@ pre {
    font-family: monaco;
    font-size: 12px;
    line-height: 17px;
-    margin: 14px -2px;
+    margin: 14px -2px 24px;
    overflow: auto;
    padding: 2px 4px;
 }