Does github uses encryption at rest for all the repositories?

Wanted to know whether the repositories is encrypted at rest or not? 

The privacy page https://help.github.com/en/articles/github-privacy-statement says “Transmission of data on GitHub is encrypted using SSH, HTTPS, and SSL/TLS. While our data is not encrypted at rest,…”

The following blog https://github.blog/changelog/2019-05-23-git-data-encryption-at-rest/ says otherwise. Incidentally both pages are updated on the same date. 

1 Like

Thanks for being here Source code stored on GitHub.com is encrypted at rest. There is a little more information in the following changelog entry:

https://github.blog/changelog/2019-05-23-git-data-encryption-at-rest/

Are backups of the repositories also encrypted?

Is the repository data that is backed up decrypted at any point along the way to being backed up?

In other words, is the path from repository to backup end-to-end encrypted?

1 Like

Is there any more information apart from that in github security guidelines that we can see?

1 Like

Hi there,

TBH with you It doesn´t say much…could you please elaborate more as to when and how is the data going to be encrypted?

BR

Alvaro V. 

1 Like

All products in the market need to provide application level protection for their data before pushing to the down stream. Also need to provide the capability to connect to the External Key Manager (preferably with KMIP) to call it as a matured in terms of the security. 

Unfortunately GitHub is not providing that as of now and delegating the responsiblity to the down stream disk level protection, which is very very less secure. 

I strogy request and recommend GitHub to consider this as high priority security requirement and enable the encryption and EKM capability. 

Happy to assist as needed for this. 

1 Like

Agree with these comments. Almost all modern SSDs are “encrypted” so that they can be erased simply by erasing the key. It doesn’t mean that the device key management is being used and the data may well appear to be unencrypted to any device reader, regardless of its encryption status on flash.

Encryption at rest in Google Cloud  |  Documentation Is a good primer on how Google does it, but of course there are many secure configurations. A KMS should be involved in encrypting all private repositories and access to the KMS should be dependent on the credentials that the user presents and not stored on Github systems.

Github could build a lot of goodwill by similarly publishing their system for this.