Re: [Monotone-devel] netsync transport encryption?

[Jeronimo Pellegrini]

> As for encrypting the database, protecting the hosts, etc....  
> truthfully, I'm not too worried about that from Monotone's  
> standpoint.  I mean, is it Monotone's fault if someone loses their  
> laptop, or if someone puts some malware onto a computer that acts as  
> a keylogger?

If you can label computers as "trusted" and "posibly hostile", then
you can encrypt the database -- and never checkout or have the
clear version on the hostile hosts. You would only decrypt it in trusted
hosts where you'd keep your workspace. A solution based on
communication encryption works also, but then you would have
all hosts as "possibly hostile". It depends on your needs.

My point is that if you encrypt the database, encrypting the channel
is not necessary (because the diffs are sent encrypted already), and
you can use plain netsync.

(And of course -- laptops should have encrypted filesystems
whenever anything secret is stored on them, including the checkout
of a Monotone database, but this is not the point here).

> As long as the communications are all solid (which IS
> within Monotone's bailiwick), then I'd say Monotone has done all that  
> it should do. 

Maybe Monotone wouldn't even need to implement communication encryption
if you could encrypt the database and then send encrypted deltas over
the network.
An encrypted database would allow you to keep the database (but no
checkout) in a hostile server that a group of users can use.
(Like some cheap virtual host). Encrypted communication wouldn't
help in that case.

J.