[TriLUG] best encryption solution for encrypting source control?
Tim Jowers
timjowers at gmail.com
Thu Feb 5 18:48:57 EST 2015
Thank you Michael and every one else who responded. Good advice.
I settled on this approach.
1. Only the subversion group has access to to the svn repos folder.
2. Files I generally want to be encrypted I put into encryptfs folder. E.g.
people's W9's and other financial info. Yes, they go into svn unencrypted;
so, security is only as secure as svn and Linux groups.
3. Files I really want to be safe such as bank account info I will gpg
encrypt. Maybe I'd better include W9's etc in this group too.
My main goal is if a cracker gets a login into my system that he/she
doesn't expose financial data. I *think* with the above I am safer than
many Fortune 500 companies. :-) The hole seems to be either the cracker
can crack my password, has a crack program against the encryption, or gets
root and installs some trojan horse. I guess physical access is another
huge security hole. I think only #3 has any hope there.
Call me simple, but I still prefer svn over git. ;-)
What I have seen in most places I have been is that once a cracker
compromises a particular user's Windows account, then he/she can access
company private information quite easily. At least with GPG I will avert
that.
Cheers,
Tim
Reference:
Ubuntu: setup "Private" encrypted folder:
https://help.ubuntu.com/community/EncryptedPrivateDirectory
encryptfs on other folders (e.g. on my raid):
http://housegeekatheart.blogspot.com/2011/08/protecting-your-files-in-ubuntu-linux.html
gpg to encrypt a file:
http://www.cyberciti.biz/tips/linux-how-to-encrypt-and-decrypt-files-with-a-password.html
On Thu, Feb 5, 2015 at 12:53 PM, Igor Partola <igor at igorpartola.com> wrote:
> Tim,
>
> What source control system is this? SVN, CVS, git, something else? How is
> it accessed? HTTP? NFS/Samba? ssh? Telnet?
>
> Here's the industry standard way of doing this:
>
> Use git (SVN and CVS should not be used for new projects), and access it
> over ssh using public keys, not passwords. Any host with a read-write
> filesystem and sshd running is a "git server":
>
> my-host.example.com ~ $ mkdir my-project && cd my-project && git init
> --bare
>
> laptop ~/my-project/ $ git set origin my-host.example.com:
> /home/igor/my-project
> laptop ~/my-project/ $ git push -u origin master
>
> If you are sharing this repo with others, you may want to use GitLab
> (self-hosted), GitHub, or BitBucket. There would be very little reason not
> to use one of these services, and a lot of upside: automated backups,
> working and secure authentication and authorization, etc.
>
> What you are trying to do (encrypting files on disk), is not going to solve
> your problem, but is going to introduce more problems.
>
> Best of luck,
> Igor
> --
> This message was sent to: timjowers <timjowers at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web :
> http://www.trilug.org/mailman/options/trilug/timjowers%40gmail.com
> Welcome to TriLUG: http://trilug.org/welcome
>
More information about the TriLUG
mailing list