[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Encrypting selected files ...

From: Aaron Turner <synfinatic_at_gmail.com>
Date: Fri, 2 Oct 2009 09:23:55 -0700

On Fri, Oct 2, 2009 at 7:56 AM, Parrish, Ken <KParrish_at_gomez.com> wrote:
> I have been asked to look into the issue of encrypting sensitive information
> that is stored in our source code repository.  We have quite a few users of
> our repository, many of whom are overseas.
>
> 99.99% of what’s in our repository is just source code that everyone needs.
> However there are a few files that contain production usernames, passwords
> and other references to assets that we would like to encrypt and allow
> access only to selected users or those with an encryption key.

Since you're trying to secure files from certain developers I see three options:

1. Use PGP/GnuPG to encrypt them.

2. Move these sensitive files to a location in your source tree where
you can deny read permission to them via SVN's built in access
controls.

3. Use property files, ENV vars, etc to set these sensitive values and
only tell them to those who need to know.

> Are there any facilities in Subversion for encrypting individual files?

No. SVN has no encryption other then SSL for secure file transfer.

> If not, does anyone have any recommendations for tools that might be
> effective for encrypting individual files?

PGP/GnuPG. You don't have to use PGP keys if you don't want to.
PGP/GnuPG supports "symmetric key encryption" like AES where the same
password is used to encrypt and decrypt the file.

> Is it possible to implement some sort of ‘hook’ in subversion that can be
> instructed to encrypt / decrypt selected files for selected users?

Hooks are on the server, not client and hence not possible.

> Thoughts, idea on this topic?

In general, your design (putting production passwords in your source
tree) is flawed from a pure security standpoint and not in line with
best practices. It is not recommended.

-- 
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
    -- Benjamin Franklin
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2402985
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-10-02 18:25:26 CEST

This is an archived mail posted to the Subversion Users mailing list.