DocsICP FilingConsole
官方文档
首页

Repository encryption

更新时间:
复制 MD 格式
产品详情
我的收藏

This topic describes the code storage encryption feature of Apsara DevOps.

Note

This feature is available only in the Premium Edition. For more information about different editions, see Editions.

How repository encryption works

Organization administrators may worry about hosting code in the cloud. They might ask: Can our code be leaked or viewed by unauthorized parties?

Apsara DevOps Codeup is reinforced with multiple layers of security from Alibaba Cloud Security products. Codeup supports server-side encryption (SSE) for uploaded data. The encryption process is transparent and does not affect daily use.

When you upload data, Apsara DevOps Codeup encrypts it before storing it. When you download data, Codeup automatically decrypts it and returns it in a readable format. Apsara DevOps Codeup provides data-at-rest protection, which is ideal for scenarios that require high security or compliance for code storage.

Types of repository encryption

  • Encryption with Alibaba Cloud Key Management Service (KMS).

  • Encryption with Apsara DevOps self-managed keys.

Encryption with Alibaba Cloud Key Management Service (KMS)

Note

You can use Key Management Service (KMS) for data encryption and decryption. KMS provides 20,000 free calls per month. You may be charged for calls that exceed this limit. For more information, see KMS 1.0 billing.

KMS manages the customer master key (CMK), which is used to encrypt data keys, and generates data encryption keys. Codeup uses KMS envelope encryption to encrypt and decrypt data locally. After you grant authorization, KMS creates a service key and uses the AES-256 algorithm to encrypt Git repositories.

The encryption and decryption process requires you to authorize key access. If you revoke permission for Apsara DevOps Codeup to access the key, the code stored on the server remains encrypted. No one, including platform O&M engineers, can decrypt it. You can restore access by granting the permission again.

Currently, the encryption service only supports service keys that Apsara DevOps Codeup automatically creates for your KMS instance. You cannot use keys that you create or upload yourself.

The following diagram shows the logic of SSE-Codeup server-side encryption:

1

  • When encryption occurs

    2

  • Encryption method: Codeup currently supports only the Advanced Encryption Standard (AES).

  • Encryption mode: The CTR mode is used to encrypt data content.

  • Key: A 256-bit key generated by KMS is used.

  • Other details:

    • Codeup supports a temporary cache to reduce KMS calls.

    • Service keys automatically generated by KMS cannot be deleted or disabled. However, you can disable Codeup calls by modifying the key's tags. Note: If Codeup cannot access the key, encrypted repositories cannot be decrypted, and their content becomes inaccessible. To restore functionality, update the KMS tag to allow Codeup to access the key again. For instructions, see KMS key management.

Encryption with Apsara DevOps self-managed keys

If you do not want to use KMS for encryption, Apsara DevOps Codeup supports encryption with self-managed keys. When you enable encryption for a repository, Apsara DevOps automatically generates a key and uses it for encryption. This ensures that your data is stored in an encrypted format on the server.

Instructions

Step 1. Choose an encryption method

  1. Log on to Codeup as an organization administrator. In the lower-left corner of the home page, click Global Settings.

    高的 - 2024-12-06T094745

  2. In the menu bar, select Repository Encryption.

    高的 - 2024-12-06T094926

Step 2. Configure encryption rules

Use Alibaba Cloud Key Management Service (KMS) for encryption

Note

To use KMS encryption, you must activate and authorize the KMS service. We recommend using a shared organization account for authorization to avoid key replacement issues caused by frequent changes in the authorizer's account.

  1. Using your logged-on Alibaba Cloud account, click Authorize Service:

    高的 - 2024-12-06T095337

  2. Confirm the resource access authorization:

    3-16

  3. After authorization is complete, the interface appears as follows:

    高的 - 2024-12-06T100336

Page description:

  • Go to KMS: Go to the KMS console to view the key.

  • Revoke Authorization: You can revoke authorization only if no keys are in use. If a repository is encrypted with the key, you must decrypt the repository before you can revoke the KMS authorization.

  • Allow viewing KMS service status: Ensure that the service is running normally. If the KMS service is unavailable due to an overdue payment, decryption will fail.

  • Default encryption for new repositories: If you select this option, encryption is automatically enabled for new repositories.

  • Allow repository administrators to modify encryption settings: If you select this option, repository administrators can enable or disable encryption for their repositories.

  • Encryption key: When you enable encryption for the first repository, Codeup automatically creates a service key in the authorizer's KMS instance. This key is managed as the master key. You cannot manually delete or disable the key, but you can disable Codeup's access to KMS by modifying the tags of the KMS service key.

  • Affected repositories: The number and list of repositories currently encrypted with the service key.

Use Apsara DevOps self-managed keys for encryption

After you make your selection, the interface appears as follows:

高的 - 2024-12-06T100543

Page description:

  • Default encryption for new repositories: If you select this option, encryption is automatically enabled for new repositories.

  • Allow repository administrators to modify encryption settings: If you select this option, repository administrators can enable or disable encryption for their repositories.

  • Encryption key: When you enable encryption for the first repository, Codeup automatically creates a key for the organization. This key is managed as the master key. You cannot manually delete or disable the key.

  • Affected repositories: The number and list of repositories currently encrypted with the service key.

Step 3. Enable repository encryption

Enable encryption for an existing repository

As a user with organization administrator permissions, go to the settings page of the repository you want to encrypt. Find the Repository Encryption switch and turn it on:

3-16

Return to the Global Settings > Repository Encryption page. An encryption key has been automatically generated and applied to one repository. You can view the list of repositories. At this point, you cannot switch the encryption type because a repository is using the key:

高的 - 2024-12-06T101005

Enable encryption for a new repository

When you create a new repository, you can select the checkbox to enable repository encryption:

What to do next

Disable repository encryption

In the settings page of an encrypted repository, an administrator can turn off the encryption switch:

3-16

Note: Decryption takes time. Do not disable the KMS key during this process. Otherwise, the repository data cannot be decrypted and will be unreadable. After decryption is complete, you can revoke the KMS authorization.

高的 - 2024-12-06T101309

Switch encryption types

Before you switch encryption types, all repositories must be decrypted. You can switch the encryption method when the number of affected repositories is zero.

高的 - 2024-12-06T101418

KMS key management

In the Alibaba Cloud KMS console, you can view and modify the service key created by Codeup. This key cannot be deleted or disabled. However, you can temporarily disable Codeup's access to KMS by modifying the tags of the KMS service key:

3-16

Click More > Key Details. In the Tags section, you can see a tag key created by Codeup: acs:rdc:git-encryption:

3-16 2

If you delete this tag key directly from the KMS console, Codeup can no longer access the key. Encrypted repositories will become inaccessible because they cannot be decrypted.

12

If this happens, manually add the following tag to the key:

  • Tag key: acs:rdc:git-encryption.

  • Tag value: true.

If you only need to temporarily disable Codeup access, you can manually change the tag value to false. After access is disabled, no key call fees will be incurred:

3-16

Notes

  • Enabling code encryption incurs KMS service fees. If your account has an overdue payment, your repositories will become inaccessible. Access is restored after the payment is made.

  • Code encryption increases computing overhead, which may slow down page access. We do not recommend enabling it for repositories larger than 1 GB.

FAQ

Q: Can I still use common Git clients after enabling code encryption?

A: Yes, you can.

Q: Can I disable repository encryption after enabling it?

A: Yes. An administrator with decryption permissions can manually turn off the encryption switch in the repository settings.

Q: Why is the code in a downloaded repository in plaintext even after encryption is enabled?

A: The server-side encryption is transparent. Data is automatically decrypted before you download it, so the downloaded data is in plaintext. Server-side code encryption is mainly designed to prevent the following issues:

  • Malicious users who steal a storage device and try to access repository files directly will only get encrypted data, which cannot be decrypted without the key.

  • The code content on the server is unreadable to platform O&M engineers.

Learn the principles

For more information, see How does code repository encryption work?

Previous:Prevent commit forgery with GPG signaturesNext:Use SASE to prevent Apsara Devops code leaks