Documentation, git large file storage and git-crypt

[brunsgaard]

I have a hard time figuring out how to use git-crypt together with lfs. Is that even possible and would it be possible to write a small howto on the subject.

[aes512]

+2

[webern]

I would also like to know. Can a large file be both encrypted by git-crypt and stored in git lfs?

[nikeee]

+1

[jcpsantiago]

+1

[bb010g]

Opened an issue about making this work without requiring all LFS-tracked files in the repository be encrypted over at git-lfs/git-lfs#4287 .

[Pictor13]

Did anybody ever find a solution to integrate the use of git-crypt and git-lfs ?
Or should one rely purely on LFS's HTTP-authentication, in order to achieve security on the stored files?

In the end TLS and git-crypt probably achieve similar level of encryption; wondering if LFS can be considered as well secure as git-crypt.

[bb010g]

I'm using it right now. It's not ideal (you encrypt all files tracked by Git LFS), but it's in-action over at bb010g/dotfiles. From my readme:

---

git-crypt & Git LFS

A Git LFS extension makes git-crypt work on top of Git LFS. The following should be added to your .git/config:

[diff "cat"]
	textconv = cat
[lfs "extension.git-crypt"]
	clean = git-crypt clean
	smudge = git-crypt smudge
	priority = 0

To filter files with git-crypt from now on, set their filter & diff attributes to filter=lfs diff=git-crypt, and leave their merge attribute unspecified. This is not what Git LFS specifies by default (filter=lfs diff=lfs merge=lfs), but we're dealing with text files here. (Plus, Git LFS doesn't even ship a diff driver or a merge driver. Whee.) Ideally, extensions would be controllable with gitattributes(5), but this is not currently implemented. The issue gitattributes(5) should control paths' desired Git LFS extensions has been opened about this.

The cat diff driver isn't essential, but it makes text diffs on LFS tracked text files work (diff=cat).

---

Ideally, this would look like a .lfsconfig containing:

[lfs]
	extensions = 

git-crypt shipping system-wide config of:

[lfs "extension.git-crypt"]
	clean = git-crypt clean
	smudge = git-crypt smudge
	priority = 0
[lfs "extension.git-crypt.diff"]
	textconv = git-crypt diff

And paths with attributes of filter=lfs diff=lfs merge=lfs lfs-extensions=git-crypt, where Git LFS would provide diff & merge drivers that invoked registered extensions in a path's priority-sorted LFS extension stack. With a bit of CLI changes, this could be git lfs track -x git-crypt [<pattern>...] to start using git-crypt on paths.

[Pictor13]

Oh, I asked just in time!
Thanks for all the info and for the link to your recent LFS's issue (filled with even more info ^^).

I'm gonna test your suggestions, even if having to use .git/config is probably a no-go for now, since I need the config to be stored in the repo and work automatically for who's cloning; in particular, it also might be annoying during CI.

I subscribed to follow updates; I read that you might want to attempt the implementation. It would be great to try, if you'll manage to produce something :)

[theoryshaw]

+1 following