diff --git a/INSTALL b/INSTALL new file mode 100644 index 0000000..0bd4da8 --- /dev/null +++ b/INSTALL @@ -0,0 +1,22 @@ +DEPENDENCIES + +To use git-crypt, you need: + + * Git 1.6.0 or newer + * OpenSSL + * For decrypted git diff output, Git 1.6.1 or newer + * For decrypted git blame output, Git 1.7.2 or newer + +To build git-crypt, you need a C++ compiler and OpenSSL development +headers. + + +BUILDING GIT-CRYPT + +The Makefile is tailored for g++, but should work with other compilers. + + $ make + $ cp git-crypt /usr/local/bin/ + +It doesn't matter where you install the git-crypt binary - choose wherever +is most convenient for you. diff --git a/NEWS b/NEWS new file mode 100644 index 0000000..9a4081e --- /dev/null +++ b/NEWS @@ -0,0 +1,18 @@ +v0.3 (2013-04-05) + * Fix 'git-crypt init' on newer versions of Git. Previously, + encrypted files were not being automatically decrypted after + running 'git-crypt init' with recent versions of Git. + * Allow 'git-crypt init' to be run even if the working tree contains + untracked files. + * 'git-crypt init' now properly escapes arguments to the filter + commands it configures, allowing both the path to git-crypt and the + path to the key file to contain arbitrary characters such as spaces. + +v0.2 (2013-01-25) + * Numerous improvements to 'git-crypt init' usability. + * Fix gitattributes example in README: the old example showed a colon + after the filename where there shouldn't be one. + * Various build fixes and improvements. + +v0.1 (2012-11-29) + * Initial release. diff --git a/README b/README index 039021e..119bf03 100644 --- a/README +++ b/README @@ -16,25 +16,7 @@ For more information, see . BUILDING GIT-CRYPT -See below for dependencies. The Makefile is tailored for g++. If you -have a different compiler, edit Makefile and change the CXX and CFLAGS -variables. This will be made easier in a future release. - - $ make - $ cp git-crypt /usr/local/bin/ - -It doesn't matter where you install the git-crypt binary - choose wherever -is most convenient for you. - - -DEPENDENCIES - -To use git-crypt, you need: - - * Git 1.6.0 or later - * OpenSSL - * For decrypted git diff output, Git 1.6.1 or later - * For decrypted git blame output, Git 1.7.2 or later +See the INSTALL file. USING GIT-CRYPT @@ -65,3 +47,55 @@ Cloning a repository with encrypted files: That's all you need to do - after running git-crypt init, you can use git normally - encryption and decryption happen transparently. + + +CURRENT STATUS + +The latest version of git-crypt is 0.3, released on 2013-04-05. +git-crypt is not yet feature complete and the user experience is rough +in places. There may also be compatibility-breaking changes introduced +before version 1.0. That said, git-crypt is reliable and secure and +used to protect content in real world repositories. + +Development on git-crypt is currently focused on improving the user +experience, especially around setting up repositories. There are also +plans to add additional key management schemes, such as passphrase-derived +keys and keys encrypted with PGP. + + +SECURITY + +git-crypt is more secure that other transparent git encryption systems. +git-crypt encrypts files using AES-256 in CTR mode with a synthetic +IV derived from the SHA-1 HMAC of the file. This is provably +semantically secure under deterministic chosen-plaintext attack. +That means that although the encryption is deterministic (which is +required so git can distinguish when a file has and hasn't changed), +it leaks no information beyond whether two files are identical or not. +Other proposals for transparent git encryption use ECB or CBC with no +IV. These systems are not semantically secure and leak information. + +The AES key is stored unencrypted on disk. The user is responsible for +protecting it and ensuring it's safely distributed only to authorized +people. A future version of git-crypt may support encrypting the key +with a passphrase. + + +LIMITATIONS + +git-crypt is not designed to encrypt an entire repository. Not only does +that defeat the aim of git-crypt, which is the ability to selectively +encrypt files and share the repository with less-trusted developers, there +are probably better, more efficient ways to encrypt an entire repository, +such as by storing it on an encrypted filesystem. Also note that +git-crypt is somewhat of an abuse of git's smudge, clean, and textconv +features. Junio Hamano, git's maintainer, has said not to do this +, +though his main objection ("making a pair of similar 'smudged' contents +totally dissimilar in their 'clean' counterparts.") does not apply here +since git-crypt uses deterministic encryption. + +git-crypt does not itself provide any authentication. It assumes that +either the master copy of your repository is stored securely, or that +you are using git's existing facilities to ensure integrity (signed tags, +remembering commit hashes, etc.).