Unencrypted data left behind after credentials are flushed about transcrypt HOT 8 CLOSED

@jmurty - I've tried this out, and it seems solid to me. 👍

I think the garbage collection is better than repack using -a. I think -a would result in a single pack, which isn't ideal for transferring data efficiently, so this seems to be the best way.

from transcrypt.

Hi @TheLocehiliosan thanks for the report and reproduction steps. I confirmed the issue, and found that it also occurs when you uninstall transcrypt which also removes the creds and shouldn't leave behind (non-obvious) plaintext data.

I have applied a fix in the branch 74-clear-cached-plaintext-when-creds-flushed, could you confirm that running transcrypt -f with the transcrypt script from that branch removes the unencrypted data?

The fix was relatively simple, though it does require a git prune to properly remove the plaintext objects which may not be safe to do without warning the user:

from transcrypt.

@jmurty - This is pretty close, but I think depending on how long the transcrypt credentials have been present, it is still possible for encrypted data to be present. git prune doesn't effect unreachable objects which have already been packed. I verified this by adjusting my reproduction steps like so:

1. Clone transcrypt-enabled repo

2. Run transcrypt with valid credentials

3. Run git log -p (displaying all change sets, included encrypted ones)

4. Run git repack (forcing all objects into packs)

5. Run transcrypt -f (flushing the credentials)

6. Run

for obj in \
  $(git rev-list --objects --no-walk \
  $(git fsck --unreachable | \
  grep '^unreachable commit' | \
  cut -d' ' -f3) | \
  cut -d' ' -f1); \
do git --no-pager show $obj; done

This shows the content of unreachable objects in the repo.

My guess is it might be necessary to repack after the pruning (I don't think repack will ever include unreachable objects when repacking).

from transcrypt.

I did a few more tests myself. Seems like repacking might not be good enough. I was able to purge all the unreferenced objects via git gc --prune=now. But I'm not sure if there's a better way.

from transcrypt.

Thanks @TheLocehiliosan for the follow-up testing, and for catching my overlooking of packed objects.

I improved the tests to exercise the packed plaintext objects situation, and experimented with different ways to clear these out but the git gc --prune=now --quiet command seems like the best option.

The alternative is to run git prune then git repack -ad which doesn't seem like much less work, and might still leave objects hiding in current or future nooks and crannies of Git's objects DB. Since I don't understand the intricacies of Git's object storage well enough to be confident, I think it is safer to run the cleanup command that is intended to be the cleanup command.

from transcrypt.

Thank you @TheLocehiliosan for the report and ongoing testing...you're right that the caching was added to increase performance, especially when scrolling through history (via 5795360). One of the classic hard things in computer science :-)

from transcrypt.

The fix is now merged to the master branch, thanks very much for the report @TheLocehiliosan

from transcrypt.

Thanks for the effort on this issue!

from transcrypt.