Skip to content
Permalink
Browse files

Work-In-Progress: Add support for `git-crypt`

`git-crypt` is a tool which can encrypt data within a Git repository.

https://github.com/AGWA/git-crypt

Notes:
  * All `git-crypt` commands can be passed through `yadm`
  * `init` and `status` must be prefaced with `crypt-` because those
    commands are already used by `yadm`.
  * Any FILE specified by the `unlock` command should be fully
    qualified. This is because under-the-hood `git-crypt` must be
    executed relative to the git WORK TREE.
  * Care should be taken to add any `.gitattributes` files to the `yadm`
    repository.
  * `git-crypt status` seems to be very slow if the working tree has
    many files (as most `$HOME` directories do).

Not Done:
  * `yadm` should restrict the permissions for any files which are
    encrypted with `git-crypt`. Right now I think the only possible way
    is to run `git-crypt status -e` to determine which files need this
    treatment, but `git-crypt status` runs very slowly when the work
    tree has lots of files.
  • Loading branch information...
TheLocehiliosan committed Feb 14, 2016
1 parent 431f149 commit efb7fd16612fe650b1286f0c696696f412772ab3
Showing with 40 additions and 1 deletion.
  1. +40 −1 yadm
41 yadm
@@ -15,7 +15,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.

VERSION=1.03
VERSION=1.03.01-beta

YADM_WORK="$HOME"
YADM_DIR="$HOME/.yadm"
@@ -40,6 +40,7 @@ function main() {

#; parse command line arguments
internal_commands="^(alt|clean|clone|config|decrypt|encrypt|help|init|list|perms|version)$"
crypt_commands="^(add-gpg-user|crypt-init|crypt-status|export-key|lock|unlock)$"
if [ -z "$*" ] ; then
#; no argumnts will result in help()
help
@@ -83,6 +84,8 @@ function main() {
done
[ ! -d $YADM_WORK ] && error_out "Work tree does not exist: [$YADM_WORK]"
$YADM_COMMAND "$YADM_ARGS"
elif [[ "$1" =~ $crypt_commands ]] ; then
crypt_command "$@"
else
#; any other commands are simply passed through to git
git_command "$@"
@@ -253,6 +256,36 @@ function encrypt() {

}

function crypt_command() {

require_crypt

#; translate 'crypt-init' to 'init' -- 'init' is reserved for yadm
if [ "$1" = "crypt-init" ] ; then
set -- "init" "${@:2}"
elif [ "$1" = "crypt-status" ] ; then
set -- "status" "${@:2}"
fi

#; git-crypt commands *must* be run relative to the work tree
#; the one exception is export-key. this will allow a relative
#; file to be specified on the command line
if [ ! "$1" = "export-key" ] ; then
YADM_WORK=$(git config core.worktree)
cd $YADM_WORK
fi

#; TODO: it is important to note in the documentation that specifying a FILE
#; when running `yadm unlock` the FILE *must* be fully qualified. this is
#; because the command must be run relative to the WORK TREE.

#; pass commands through to git-crypt
git-crypt "$@"

CHANGES_POSSIBLE=1

}

function git_command() {

require_repo
@@ -372,6 +405,8 @@ function perms() {
done < "$YADM_ENCRYPT"
fi

#; TODO: restrict the permissions of all git-crypt encrypted files

#; remove group/other permissions from collected globs
chmod -f go-rwx ${GLOBS[@]} >/dev/null 2>&1
#; TODO: detect and report changing permissions in a portable way
@@ -460,6 +495,10 @@ function require_gpg() {
command -v gpg >/dev/null 2>&1 || \
error_out "This functionality requires GPG to be installed, but the command gpg cannot be located."
}
function require_crypt() {
command -v git-crypt >/dev/null 2>&1 || \
error_out "This functionality requires git-crypt to be installed, but the command git-crypt cannot be located."
}
function require_repo() {
[ -d "$YADM_REPO" ] || error_out "Git repo does not exist. did you forget to run 'init' or 'clone'?"
}

0 comments on commit efb7fd1

Please sign in to comment.
You can’t perform that action at this time.