Repository encryption at rest

[Nuno Costa]

Hi all,

Does anyone knows if it is possible to have the repositories files encrypted on the backend/filesystem while they are not in use?

For example, the repo would be unencrypted when any action would be directed to a specific repository like a change is open on the UI, a clone or REST API call.

I don't see doing this on the filesystem level very advantageous because Gerrit service needs to be up and running.

Even if mounting certain repos on a different mount point that would be unencrypted, we would always need to have Gerrit signaling to the FS to encrypt the repo.

Not even considering the encryption overhead.

Just wanted to know if something like this is/would be possible

Thanks and keep the good work,

Nuno

[Martin Fick]

On Tue, Jul 23, 2024 at 3:30 AM Nuno Costa <nunoco...@gmail.com> wrote:

Does anyone knows if it is possible to have the repositories files encrypted on the backend/filesystem while they are not in use?

This is not currently possible, but I suspect that it would not be an enormous task to modify JGit to encrypt the objects on disk for storage. That would, of course, make the repositories unreadable by the standard git executable though,

 

-Martin

[Nuno Costa]

Hi Martin, thanks for the feedback.

Regarding cgit access, it seems there are some projects[1][2] to handle independent files and even entire repo encryption.

Could this be a feature request to be presented to jgit team?

The feature could also be compatible with some cgit encryption implementations allowing it to work on both jgit and cgit.

[1] https://github.com/AGWA/git-crypt

[2] https://github.com/spwhitton/git-remote-gcrypt

[David Åkerman]

Hi Nuno,

Your suggested projects seems to do encryption and decryption on the client-side. In that case the files should be encrypted when they are uploaded and stored on the git-server/gerrit-server. Does not that fulfill your requirements?

Best regards,

David

[Luca Milanesio]

I believe Nuno would like for Gerrit to still index and process the data by decrypting it on the fly.

In that case, the encryption isn’t E2E because Gerrit (an intermediary) can see the data in cleartext.

If you want Gerrit to see the data in cleartext, then the encryption needs to be done at block-device level, which is totally possible an is outside the Git and Gerrit domain.

Alternatively, if the data needs to be really encrypted E2E, then encryption and decryption is done at client level, and David is right, Gerrit would _just work_ and _won’t see data in cleartext_.

Luca.

Best regards,

David

-- 
-- 
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

--- 
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/4d88e142-3295-41cc-b89c-7dd5f1a4cae0n%40googlegroups.com.

[Matthias Sohn]

On Fri, Jul 26, 2024 at 9:28 AM Luca Milanesio <luca.mi...@gmail.com> wrote:

On 25 Jul 2024, at 23:41, David Åkerman <david....@axis.com> wrote:

On Thursday, July 25, 2024 at 11:57:27 AM UTC+2 Nuno Costa wrote:

Hi Martin, thanks for the feedback.

Regarding cgit access, it seems there are some projects[1][2] to handle independent files and even entire repo encryption.

Could this be a feature request to be presented to jgit team?

The feature could also be compatible with some cgit encryption implementations allowing it to work on both jgit and cgit.

[1] https://github.com/AGWA/git-crypt

[2] https://github.com/spwhitton/git-remote-gcrypt

On Tuesday 23 July 2024 at 21:15:27 UTC+1 Martin Fick wrote:

On Tue, Jul 23, 2024 at 3:30 AM Nuno Costa <nunoco...@gmail.com> wrote:

Does anyone knows if it is possible to have the repositories files encrypted on the backend/filesystem while they are not in use?

This is not currently possible, but I suspect that it would not be an enormous task to modify JGit to encrypt the objects on disk for storage. That would, of course, make the repositories unreadable by the standard git executable though, 

 

-Martin

Hi Nuno,

Your suggested projects seems to do encryption and decryption on the client-side. In that case the files should be encrypted when they are uploaded and stored on the git-server/gerrit-server. Does not that fulfill your requirements?

I believe Nuno would like for Gerrit to still index and process the data by decrypting it on the fly.

In that case, the encryption isn’t E2E because Gerrit (an intermediary) can see the data in cleartext.

If you want Gerrit to see the data in cleartext, then the encryption needs to be done at block-device level, which is totally possible an is outside the Git and Gerrit domain.

Alternatively, if the data needs to be really encrypted E2E, then encryption and decryption is done at client level, and David is right, Gerrit would _just work_ and _won’t see data in cleartext_.

Encrypting the blobs stored in git repos can be done client or server-side, though since encrypted blobs are binary data 

git's text-based delta storage will be less efficient. Hence I expect the repository size to grow faster compared to

storing unencrypted text blobs. I think transparent filesystem encryption wouldn't suffer from this issue since in that case

git still sees the text data.

 

Luca.

Best regards,

David

-- 
-- 
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

--- 
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/4d88e142-3295-41cc-b89c-7dd5f1a4cae0n%40googlegroups.com.

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/3A3E59E7-5CDC-49C7-A42B-2A19749FD150%40gmail.com.