feat: Implement git-crypt lifecycle management and key instructions
This commit is contained in:
parent
d580c61515
commit
d1eb191aaf
1 changed files with 79 additions and 0 deletions
79
lib/git-crypt.sh
Normal file
79
lib/git-crypt.sh
Normal file
|
|
@ -0,0 +1,79 @@
|
|||
#!/usr/bin/env bash
|
||||
# =============================================================================
|
||||
# lib/git-crypt.sh
|
||||
# git-crypt lifecycle management (init, export, verify).
|
||||
# =============================================================================
|
||||
|
||||
gcrypt_init() {
|
||||
git-crypt init
|
||||
success "git-crypt initialized in $(pwd)"
|
||||
}
|
||||
|
||||
gcrypt_export_key() {
|
||||
local genome_name="$1"
|
||||
local key_path="${KEYS_DIR}/${genome_name}.key"
|
||||
|
||||
mkdir -p "${KEYS_DIR}"
|
||||
git-crypt export-key "$key_path"
|
||||
success "Symmetric key exported to: $key_path"
|
||||
warn "Action required: Store this key in Vaultwarden and remove it from local disk."
|
||||
}
|
||||
|
||||
gcrypt_verify() {
|
||||
local genome_name="$1"
|
||||
local key_path="${KEYS_DIR}/${genome_name}.key"
|
||||
|
||||
info "Verifying git-crypt status for ${genome_name}..."
|
||||
git-crypt lock
|
||||
|
||||
# Checking if the private marker is still encrypted (binary check)
|
||||
if file "raw/private/.gitkeep" 2>/dev/null | grep -q "data"; then
|
||||
success "Encryption verified: private/ directory is protected."
|
||||
else
|
||||
warn "Encryption check inconclusive. Please run 'git-crypt status' manually."
|
||||
fi
|
||||
|
||||
[[ -f "$key_path" ]] && git-crypt unlock "$key_path"
|
||||
}
|
||||
|
||||
gcrypt_print_key_instructions() {
|
||||
local genome_name="$1"
|
||||
local v_url="${VAULTWARDEN_URL:-https://your-vaultwarden.com}"
|
||||
|
||||
echo -e "\n ── ${BOLD}Key Management: ${genome_name}${NC} ──\n"
|
||||
echo " 1. Encode the key to base64:"
|
||||
echo " base64 < ${KEYS_DIR}/${genome_name}.key"
|
||||
echo ""
|
||||
echo " 2. Save to Vaultwarden (${v_url}):"
|
||||
echo " Name: \"${genome_name} key\""
|
||||
echo " Note: <paste the base64 string>"
|
||||
echo ""
|
||||
echo " 3. For AI Server / Runtime Injection:"
|
||||
echo " export BW_SESSION=\$(bw unlock --raw)"
|
||||
echo " git-crypt unlock <(bw get notes \"${genome_name} key\" --session \"\$BW_SESSION\" | base64 -d)"
|
||||
}
|
||||
|
||||
gcrypt_print_runtime_model() {
|
||||
echo ""
|
||||
echo " RUNTIME SECURITY MODEL:"
|
||||
echo " ─────────────────────────────────────────────────────────────"
|
||||
echo " On Forgejo (remote):"
|
||||
echo " raw/private/ and wiki/private/ are opaque AES-256-CTR blobs."
|
||||
echo " Collaborators without the key see binary in private/,"
|
||||
echo " plaintext everywhere else. Git handles this gracefully."
|
||||
echo ""
|
||||
echo " On your laptop:"
|
||||
echo " Once unlocked, files are transparently decrypted by the git"
|
||||
echo " smudge filter. Obsidian reads them as normal Markdown."
|
||||
echo ""
|
||||
echo " On the AI VM:"
|
||||
echo " Same as laptop when unlocked. Use runtime injection (step 5"
|
||||
echo " above) so the key is never written to disk."
|
||||
echo ""
|
||||
echo " Limitation:"
|
||||
echo " Encryption does NOT protect against a full server compromise"
|
||||
echo " where an attacker has root access to a machine where the repo"
|
||||
echo " is already unlocked. Runtime injection mitigates this."
|
||||
echo " ─────────────────────────────────────────────────────────────"
|
||||
echo ""
|
||||
}
|
||||
Loading…
Add table
Reference in a new issue