git-crypt icon indicating copy to clipboard operation
git-crypt copied to clipboard

Published 20 hours ago verified publisher icon AGWA

Documentation, git large file storage and git-crypt

Open brunsgaard opened this issue 8 years ago • 9 comments

I have a hard time figuring out how to use git-crypt together with lfs. Is that even possible and would it be possible to write a small howto on the subject.

brunsgaard avatar Aug 30 '16 16:08 brunsgaard

+2

aes512 avatar Feb 01 '17 06:02 aes512

I would also like to know. Can a large file be both encrypted by git-crypt and stored in git lfs?

webern avatar Jul 03 '18 15:07 webern

+1

nikeee avatar Jan 11 '19 11:01 nikeee

+1

jcpsantiago avatar Mar 11 '20 10:03 jcpsantiago

Opened an issue about making this work without requiring all LFS-tracked files in the repository be encrypted over at https://github.com/git-lfs/git-lfs/issues/4287 .

bb010g avatar Oct 20 '20 02:10 bb010g

Did anybody ever find a solution to integrate the use of git-crypt and git-lfs ? Or should one rely purely on LFS's HTTP-authentication, in order to achieve security on the stored files?

In the end TLS and git-crypt probably achieve similar level of encryption; wondering if LFS can be considered as well secure as git-crypt.

Pictor13 avatar Oct 22 '20 16:10 Pictor13

I'm using it right now. It's not ideal (you encrypt all files tracked by Git LFS), but it's in-action over at bb010g/dotfiles. From my readme:

git-crypt & Git LFS

A Git LFS extension makes git-crypt work on top of Git LFS. The following should be added to your .git/config:

[diff "cat"]
	textconv = cat
[lfs "extension.git-crypt"]
	clean = git-crypt clean
	smudge = git-crypt smudge
	priority = 0

To filter files with git-crypt from now on, set their filter & diff attributes to filter=lfs diff=git-crypt, and leave their merge attribute unspecified. This is not what Git LFS specifies by default (filter=lfs diff=lfs merge=lfs), but we're dealing with text files here. (Plus, Git LFS doesn't even ship a diff driver or a merge driver. Whee.) Ideally, extensions would be controllable with gitattributes(5), but this is not currently implemented. The issue gitattributes(5) should control paths' desired Git LFS extensions has been opened about this.

The cat diff driver isn't essential, but it makes text diffs on LFS tracked text files work (diff=cat).

Ideally, this would look like a .lfsconfig containing:

[lfs]
	extensions =

git-crypt shipping system-wide config of:

[lfs "extension.git-crypt"]
	clean = git-crypt clean
	smudge = git-crypt smudge
	priority = 0
[lfs "extension.git-crypt.diff"]
	textconv = git-crypt diff

And paths with attributes of filter=lfs diff=lfs merge=lfs lfs-extensions=git-crypt, where Git LFS would provide diff & merge drivers that invoked registered extensions in a path's priority-sorted LFS extension stack. With a bit of CLI changes, this could be git lfs track -x git-crypt [<pattern>...] to start using git-crypt on paths.

bb010g avatar Oct 22 '20 20:10 bb010g

Oh, I asked just in time! Thanks for all the info and for the link to your recent LFS's issue (filled with even more info ^^).

I'm gonna test your suggestions, even if having to use .git/config is probably a no-go for now, since I need the config to be stored in the repo and work automatically for who's cloning; in particular, it also might be annoying during CI.

I subscribed to follow updates; I read that you might want to attempt the implementation. It would be great to try, if you'll manage to produce something :)

Pictor13 avatar Oct 27 '20 13:10 Pictor13

+1 following

theoryshaw avatar Nov 14 '22 23:11 theoryshaw