Konubinix' opinionated web of thoughts

Git Annex Encryption


git-annex cryptographie

To see what encryption is used for a special remote, run git annex info $remote and look for a line like:

encryption: hybrid (to gpg keys: AEC828149D85C538 C910D9122512E3C8)


The filenames used on the special remote are encrypted using HMAC, which prevents the special remote from seeing the filenames. But, anyone who can clone the git repository can access the HMAC cipher; it’s stored unencrypted in the git repository.


Encrypted special remotes store their encryption key here, in the “cipher” value. It is base64 encoded, and unless shared encryption is used, is encrypted to one or more gpg keys. The first 256 bytes of the cipher is used as the HMAC SHA1 encryption key, to encrypt filenames stored on the special remote. The remainder of the cipher is used as a gpg symmetric encryption key, to encrypt the content of files stored on the special remote.