Encrypt datafile when syncing via Git

[amurashkin17]

Describe the feature you'd like to request

An option to encrypt datafile when syncing via Git. While Git repository access from the Internet is usually protected (for example, by password), the repository can be accessed by the Git provider, as a result of misconfiguration, or just hacked.

Some bookmarks/tabs can be security sensitive, for instance, contain usernames/passwords/tokens in URLs. Also, just the list of bookmarks/tabs hints at what websites are actually used.

Describe the solution you'd like

The encryption shall work similarly to Google Drive and WebDAV.

• Allow to specify encryption passphrase.
• Encrypt the data before pushing.
• Decrypt the data after pulling.

Describe alternatives you've considered

The main consideration in my case is that Git keeps multiple versions, so we have the backups as a side effect.

Google Drive keeps previous versions for 30 days (at least in my case).

Floccus+WebDav+LoFloccus+Cryptomator+Something seems fragile (too many possible points of failure). It also does not help with backup problems.

Nextcloud does not support all possible bookmark types.

[github-actions]

Hello 👋

Thank you for taking the time to open this issue with floccus. I know it's frustrating when software
causes problems. You have made the right choice to come here and open an issue to make sure your problem gets looked at
and if possible solved.
I'm Marcel and I created floccus and have been maintaining it ever since.
I currently work for Nextcloud which leaves me with less time for side projects like this one
than I used to have.
I still try to answer all issues and if possible fix all bugs here, but it sometimes takes a while until I get to it.
Until then, please be patient.
Note also that GitHub is a place where people meet to make software better together. Nobody here is under any obligation
to help you, solve your problems or deliver on any expectations or demands you may have, but if enough people come together we can
collaborate to make this software better. For everyone.
Thus, if you can, you could also have a look at other issues to see whether you can help other people with your knowledge
and experience. If you have coding experience it would also be awesome if you could step up to dive into the code and
try to fix the odd bug yourself. Everyone will be thankful for extra helping hands!
One last word: If you feel, at any point, like you need to vent, this is not the place for it; you can go to the forum,
to twitter or somewhere else. But this is a technical issue tracker, so please make sure to
focus on the tech and keep your opinions to yourself.

I look forward to working with you on this issue
Cheers 💙

[marcelklehr]

Hi @amurashkin17
Thank you for your feedback! In my opinion, the grand advantage of git is tracking plain text files. Encrypting the bookmarks files before committing them to git would defeat the purpose of git a bit, in my opinion. It seems that you are trying to use git sync as a last resort in an attempt to replace Google Drive / WebDAV. Perhaps we can add a different backend to floccus that would be better suited?

[kainz]

Hi @amurashkin17 Thank you for your feedback! In my opinion, the grand advantage of git is tracking plain text files. Encrypting the bookmarks files before committing them to git would defeat the purpose of git a bit, in my opinion. It seems that you are trying to use git sync as a last resort in an attempt to replace Google Drive / WebDAV. Perhaps we can add a different backend to floccus that would be better suited?

While a different backend may be more closely suited, this use pattern is fairly common (if discouraged for other reasons sometimes) in repositories for which you want to maintain some (or all) encrypted data but still maintain versioning. You do lose out on space savings from delta compression, but version and diff tracking is still useful. See, for example, what git-crypt does (for files in a repo you want to crypt, you use .gitattributes to set a diff-filter and file filter for matching paths).

While your AES encryption implementation you use in the GoogleDrive and WebDAV adapters is simple compared to what say git-crypt does, there's really nothing stopping you from porting that over to the other adapters, is there? For my purposes, encryption inside a git backend is exactly the workflow I want. (and git-over-ssh preferably, but git over https is close enough. For 'transparency' you could even add .gitattributes in your repo management and ship a CLI filter that cli git users could use when dealing with a floccus-in-git repo, but that is probably less immediately useful for most people.