Encrypted Git remotes with git-remote-gcrypt
Last edited: $Date: 2017/10/07 14:53:57 $
## Encrypted backup of your repositories
On my personal Git server I have a lot of repositories. In order not
to loose these repositories, a backup policy is important.
I keep copies of my Git repositories on several machines in my home
network. However, a catastrophic power-event like a lightning bolt or
some other high-voltage peak could wipe all those machines. Therefor I
wanted to have a copy outside my house, and thus at a third party.
Because of the confidentiality of a part of the data, this has to be
an encrypted backup.
## Create GNU Privacy Guard-encrypted git remotes with git-remote-gcrypt
The open source GnuPG tools provide very strong encryption and is easy
to implement. (GnuPG is also known under the names gpg and OpenPGP).
handles gcrypt:: URLs that will access a remote
repository encrypted with GnuPG. On Debian, it is easy to install:
apt-get install git-remote-gcrypt
... and you are ready to go!
git-remote-gcrypt is a shell-script, so an other easy way to install
git clone https://github.com/spwhitton/git-remote-gcrypt
This can be handy on other Linux distributions. The git-remote-gcrypt
is a shell-script that uses curl amoung other things, and it will not
be easy to get it working properly on OpenBSD.
## GnuPG key
Before starting to use git-remote-gcrypt to set up encrypted remotes,
it is useful to think about which GnuPG key we are going to use.
We set up the remote encrypted repositories as a backup for the case
our entire home network is foobar. When we want to access the contents
of the remote repository, we will need the private gpg-key to do the
So you will have to store this gpg-key on a remote position, probably
at a third party (which is, of course, not the same third party as
where the remote repository is located). This can be on an USB memory-
stick, or as a file stored by some cloud provider.
For this reason, I choosed to use a separate key, only to be used for
the encryption and decryption of the Git repositories, and not my
"normal" key for everyday use, like signing email messages.
## How to set up an encrypted remote Git repository
### Preparation on the remote machine
On the remote machine, create a bare, empty repository:
mkdir -p /opt/git/
git init --bare .
This results in a normal, remote empty repository.
In the example above, the remote repository is located in the /opt/git
directory. This is just an example, you can choose any other path.
### Preparation on the local repository
In the directory of our local Git repository we enter the following
git remote add cryptremote gcrypt::rsync://:/opt/git/$mydir
git config remote.cryptremote.gcrypt-participants ""
With this, we add an encrypted remote repository to the git config.
Also, we tell git which GnuPG key to use for the encryption. The gpg-
key-id is a long string, you can get this string f.e. with "gpg -K",
which lists all your secret keys.
When you want to share the encrypted remote with other people, you can
also add their gpg-keys in the list of gcrypt-participants.
### Push encrypted data to the git remote
Now all we have to do, is to push the contents of our local repository
to the remote, git-remote-gcrypt will do all the encryption for us:
git push cryptremote master
The name of the repository, and the git config and so on will not be
encrypted, only the data. So if your repository name is sensitive too,
you have to come up with some mechanism to replace this with something
else. In the above example, the local repository got pushed to a
remote in /opt/git, followed by a directory-name. You can of course
replace this directory-name with something else.
## Cloning from the remote repository
So there has been some catastrophic event, and no we want our data
back from the remote encrypted repository. How do we approach this?
It turns out to be very simple. Of course we need the GnuPG key for
decryption, so both the public as well as the private part of the key.
git clone gcrypt::rsync://:/opt/git/
You will be prompted to enter the passphrase for the gpg-key and a
local, decrypted clone will be made.
## Test the recovery of the backup
Remeber, that a backup that is not tested, is not a backup. Test the
recovery process on a regular basis, to be sure it is working OK.
$Id: encryptedremotegit.txt,v 1.2 2017/10/07 14:53:57 matto Exp $