Encryption

dotgit allows you to encrypt files that you don’t want to be stored in plaintext in your repo. This is achieved by encrypting the files with GnuPG with its default symmetric encryption (AES256 on my machine at the time of writing) before storing them in your repo. You can specify that a file should be encrypted by appending |encrypt to the filename in your filelist, for example:

.ssh/config|encrypt

When using encryption you need to take note of the following:

  • Encrypted files are not directly linked to your dotfiles repository. This means you need to run dotgit update whenever you want to save changes you made to the files in your repo.
  • Your encryption password is securely hashed and stored in your repository. While this hash is secure in theory (for implementation details see below) it’s probably not a good idea to just leave this lying around in a public repo somewhere.

For those interested, the password is hashed using Python’s hashlib library using

  • PKCS#5 function 2 key-derivation algorithm
  • 32-bits of salt
  • 100000 iterations of the SHA256 hash

When you add an encrypted dotfile to your repo for the first time dotgit will ask you for a new encryption password. Thereafter, whenever you want to update or restore an encrypted file you will need to provide the same encryption password. You can change your encryption password by running the passwd command.