feat: Implement git-crypt lifecycle management and key instructions

This commit is contained in:
Matteo Cherubini 2026-05-08 21:09:42 +02:00
parent d580c61515
commit d1eb191aaf

79
lib/git-crypt.sh Normal file
View file

@ -0,0 +1,79 @@
#!/usr/bin/env bash
# =============================================================================
# lib/git-crypt.sh
# git-crypt lifecycle management (init, export, verify).
# =============================================================================
gcrypt_init() {
git-crypt init
success "git-crypt initialized in $(pwd)"
}
gcrypt_export_key() {
local genome_name="$1"
local key_path="${KEYS_DIR}/${genome_name}.key"
mkdir -p "${KEYS_DIR}"
git-crypt export-key "$key_path"
success "Symmetric key exported to: $key_path"
warn "Action required: Store this key in Vaultwarden and remove it from local disk."
}
gcrypt_verify() {
local genome_name="$1"
local key_path="${KEYS_DIR}/${genome_name}.key"
info "Verifying git-crypt status for ${genome_name}..."
git-crypt lock
# Checking if the private marker is still encrypted (binary check)
if file "raw/private/.gitkeep" 2>/dev/null | grep -q "data"; then
success "Encryption verified: private/ directory is protected."
else
warn "Encryption check inconclusive. Please run 'git-crypt status' manually."
fi
[[ -f "$key_path" ]] && git-crypt unlock "$key_path"
}
gcrypt_print_key_instructions() {
local genome_name="$1"
local v_url="${VAULTWARDEN_URL:-https://your-vaultwarden.com}"
echo -e "\n ── ${BOLD}Key Management: ${genome_name}${NC} ──\n"
echo " 1. Encode the key to base64:"
echo " base64 < ${KEYS_DIR}/${genome_name}.key"
echo ""
echo " 2. Save to Vaultwarden (${v_url}):"
echo " Name: \"${genome_name} key\""
echo " Note: <paste the base64 string>"
echo ""
echo " 3. For AI Server / Runtime Injection:"
echo " export BW_SESSION=\$(bw unlock --raw)"
echo " git-crypt unlock <(bw get notes \"${genome_name} key\" --session \"\$BW_SESSION\" | base64 -d)"
}
gcrypt_print_runtime_model() {
echo ""
echo " RUNTIME SECURITY MODEL:"
echo " ─────────────────────────────────────────────────────────────"
echo " On Forgejo (remote):"
echo " raw/private/ and wiki/private/ are opaque AES-256-CTR blobs."
echo " Collaborators without the key see binary in private/,"
echo " plaintext everywhere else. Git handles this gracefully."
echo ""
echo " On your laptop:"
echo " Once unlocked, files are transparently decrypted by the git"
echo " smudge filter. Obsidian reads them as normal Markdown."
echo ""
echo " On the AI VM:"
echo " Same as laptop when unlocked. Use runtime injection (step 5"
echo " above) so the key is never written to disk."
echo ""
echo " Limitation:"
echo " Encryption does NOT protect against a full server compromise"
echo " where an attacker has root access to a machine where the repo"
echo " is already unlocked. Runtime injection mitigates this."
echo " ─────────────────────────────────────────────────────────────"
echo ""
}