[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Protected/secure SVN

From: Nico Kadel-Garcia <nkadel_at_gmail.com>
Date: Tue, 12 May 2015 20:34:01 -0400

On Tue, May 12, 2015 at 8:30 AM, D Ste <djiratest_at_gmail.com> wrote:
> Hi,
>
> I would like to set up SVN to store confidential documents.
> I have secured the pipe communication with HTTPS/SSL. To avoid unauthorized
> users (even with root access) accessing documents from within the server, I
> would like to protect the SVN linux folder/files with encryption.

Thee are a stack of problem not unique to Subversion:

1) Whoever has your backups owns your content. This can be reduced
with encrypted filesystems and encrypted backups, but it's a basic
service side problem.
2) Subversion clients still save passphrases by default, with no way
for the server to force clients to use mandatory password entry or
force client-side wallet based encryption. Until and unless someone
gets something working like multi-user svn+ssh based access with
Kerberos tickets, or wields genuine Kerberos tickets into svnserve or
enforces Kerberos ticket use for Apache access, almost all setups will
leave you vulnerable to clients storing credentials poorly. Even SSH
key based or SSL key based access doesn't solve this problem, because
clients can and will store their credentials without protections, no
matter what you tell them and no matter what you have them sign.
3) Actually storing encrypted files in SVN will inevitably mean
storing binaries. Each small change in such a file will inevitably
involve a large difference form the previously stored encrypted file,
meaining a lot of resources for every change. and Subversion is
*horrible* about expiring old, unwanted files. The "svn obliterate" is
one of the most requested features, and has been consistently rejected
since..... well, since its first releases over a decade ago.

> Are there any ways to secure the SVN using protected folders or encryption?
> So only authorized users can access these confidential documents.
>
> Thanks in advance for your helps.

Yes, but there are limits. Be aware of them.
Received on 2015-05-13 02:34:06 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.