Keybase.io, which began as a cloud key database and has since evolved into a secure messaging and collaboration service, on Wednesday added support for encrypted Git repositories.
Git, a version control system widely used for managing source code, doesn't encrypt files stored in Git repositories.
It can, however, be used in conjunction with an encrypted communication protocol (HTTPS or SSH) and it supports cryptographic hash checking (checksums) to verify the integrity of code commits.
At the same time, Git's reliance on the SHA-1 crypto algorithm means its commit verification mechanism leaves something to be desired. Crypto researchers earlier this year demonstrated the feasibility of generating an SHA-1 collision. Using this technique, it's at least theoretically possible that a public Git repo could be altered covertly without authorization.
Linus Torvalds, who created Git, has dismissed concerns, even as he has suggested Git will eventually move to a stronger hash algorithm like SHA3-256.
Users of local Git repos and of cloud-based Git services, like BitBucket, GitLab, or GitHub, can rely on password- or SSH-based authentication to keep private repos from view. But that's not as secure as encrypting every file.
There are open source projects that can encrypt Git repos, like git-crypt. Keybase's approach, however, appears to be a bit simpler to manage.
"The real problem with Git integrity is that people aren’t signing their commits," said Chris Coyne, co-founder of Keybase.io, in an email to The Register. "There's a chicken-and-egg problem: No one is signing, and no one is verifying. For important public repositories, everything should be signed. Everything should be verified."
The Keybase app now includes a "Git" tab that can create encrypted Git repositories. This ensures that every transaction get cryptographically signed.
"We don't really think of Keybase Git as a replacement for public projects," said Coyne. "Keybase's Git is for private repositories. Any kind of data that you would never want leaked. If you use Keybase Git, you'll never accidentally push a secret to the cloud. And it's signed, too, in a way that bypasses the chicken and egg problem. If you're using Keybase Git, the crypto is fully enforced." ®