this post was submitted on 14 Oct 2025
9 points (90.9% liked)

Open Source

41415 readers
478 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 6 years ago
MODERATORS
Cloak@lemmy.ml
kevincox@lemmy.ml
CrypticCoffee@lemmy.ml
Lettuceeatlettuce@lemmy.ml
9
Shouldn’t Forgejo private repositories be encrypted? (lemmy.dbzer0.com)
submitted 1 day ago* (last edited 1 day ago) by Davy_Jones@lemmy.dbzer0.com to c/opensource@lemmy.ml
6 comments fedilink hide all child comments
 

Wouldn’t it make sense for Forgejo to encrypt private repositories so users could safely include sensitive data like logs, histories, or even login configs?

For example, I currently exclude things like my Zsh history in .gitignore in my dotfiles repo. If private repos were encrypted, I could just commit everything and sync my full setup between machines without relying on Syncthing or other tools.

Is there any plan or reason why Forgejo doesn’t encrypt private repos this way?

top 6 comments
sorted by: hot top controversial new old
[–] jbloggs777@discuss.tchncs.de 19 points 1 day ago (1 children)

No? It doesn't seem to be a use case they target.

If you want to use git to store sensitive data, you should encrypt it before committing / pushing it.

[–] Davy_Jones@lemmy.dbzer0.com 5 points 1 day ago* (last edited 1 day ago) (2 children)

No? It doesn’t seem to be a use case they target.

The problem is that making a repository private makes users think their data can't be seen so they may upload that kind of information.

If you want to use git to store sensitive data, you should encrypt it before committing / pushing it.

I'll look into that.

[–] illusionist@lemmy.zip 7 points 1 day ago* (last edited 1 day ago)

Usually you don't accidentally open a git repo and set up a ssh key and push your own credentials to a foreign repo. Usually that involes reading a manual. If those tutorial don't cover keys, then the tutorials need to be improved. imo

[–] TomAwezome@lemmy.world 3 points 1 day ago

Generally if you want to combine full encryption with version control, your best bet would be instead to not use something like Forgejo, and instead do something like init a local git repo, commit like usual, then set up scripting that will tar.gz archive the entire repo, PGP encrypt the archive, and then upload that to a cloud provider's file storage. That way, it's got privacy (the archive is encrypted), it's got version control (once decrypted and decompressed it goes back to being a folder with a git repo in it), and it's backed up (via cloud file storage provider).

[–] fruitycoder@sh.itjust.works 6 points 1 day ago

I use SOPS for this.

https://devops.datenkollektiv.de/using-sops-with-age-and-git-like-a-pro.html

Set filters in git certain files are added encrypted.

You can also do multi key set ups if you have a shared secret (like a lab space creds) or want to share some secrets with ci/cd tools

[–] OatPotato@hexbear.net 4 points 1 day ago

Maybe you would be interested in git-crypt: https://github.com/AGWA/git-crypt

(The source code is on Github but it's a generic Git tool)