2016-09-07 03:19:16 +00:00
|
|
|
---
|
|
|
|
title: "Encryption"
|
|
|
|
permalink: /docs/encryption
|
|
|
|
---
|
|
|
|
It can be useful to manage confidential files, like SSH keys, across multiple
|
|
|
|
systems. However, doing so would put plain text data into a Git repository,
|
2019-10-19 18:59:03 +00:00
|
|
|
which often resides on a public system. yadm implements a feature which can
|
2016-09-07 03:19:16 +00:00
|
|
|
make it easy to encrypt and decrypt a set of files so the encrypted version can
|
|
|
|
be maintained in the Git repository. This feature will only work if the gpg
|
|
|
|
command is available.
|
|
|
|
_It is recommended that you use a private repository when keeping confidential
|
|
|
|
files, even though they are encrypted._
|
|
|
|
|
|
|
|
To use this feature, a list of patterns must be created and saved as
|
2019-10-20 20:07:13 +00:00
|
|
|
`$HOME/.config/yadm/encrypt`. For example:
|
2016-09-07 03:19:16 +00:00
|
|
|
|
|
|
|
.ssh/*.key
|
|
|
|
|
|
|
|
The `yadm encrypt` command will find all files matching the patterns, and
|
|
|
|
prompt for a password. Once a password has confirmed, the matching files will be
|
2019-10-20 20:07:13 +00:00
|
|
|
encrypted and saved as `$HOME/.config/yadm/files.gpg`. The patterns and files.gpg
|
2019-10-19 18:59:03 +00:00
|
|
|
should be added to the yadm repository so they are available across multiple
|
2016-09-07 03:19:16 +00:00
|
|
|
systems.
|
|
|
|
|
2019-10-20 20:07:13 +00:00
|
|
|
yadm add .config/yadm/encrypt
|
|
|
|
yadm add .config/yadm/files.gpg
|
2016-09-07 03:19:16 +00:00
|
|
|
|
|
|
|
To decrypt these files later, or on another system run `yadm decrypt` and
|
|
|
|
provide the correct password.
|
|
|
|
_By default, any decrypted files will have their "group" and "others"
|
|
|
|
permissions removed._
|
|
|
|
|
|
|
|
### Asymmetric Encryption
|
|
|
|
|
|
|
|
Symmetric encryption is used by default, but asymmetric encryption may
|
|
|
|
be enabled using the `yadm.gpg-recipient` configuration. To do so, run:
|
|
|
|
|
|
|
|
yadm config yadm.gpg-recipient <recipient-address>
|
|
|
|
|
|
|
|
For this to work, `<recipient-address>` must exist in your gpg keyrings.
|
2019-12-17 04:44:04 +00:00
|
|
|
|
|
|
|
## git-crypt
|
|
|
|
|
|
|
|
git-crypt is a tool that enables transparent encryption and decryption of files
|
|
|
|
in a Git repository. If git-crypt is installed, you can use it with your yadm
|
|
|
|
repository.
|
|
|
|
|
|
|
|
Simply use it normally, prefacing the `git-crypt` commands with `yadm`.
|
|
|
|
|
|
|
|
You can learn more about [git-crypt](https://github.com/AGWA/git-crypt) at this
|
|
|
|
[website](https://www.agwa.name/projects/git-crypt/).
|