Skip to main content
D
Dits
Documentation

Encryption Commands

Encrypt repository data at rest using industry-standard AES-256-GCM. Protects sensitive content while maintaining deduplication benefits through convergent encryption.

CommandDescriptionUsage
encrypt-initInitialize repository encryptiondits encrypt-init [OPTIONS]
encrypt-statusShow encryption statusdits encrypt-status
loginLogin to unlock encryption keysdits login [OPTIONS]
logoutLogout and clear cached keysdits logout [OPTIONS]
change-passwordChange encryption passworddits change-password

dits encrypt-init

Initialize encryption for a repository. Creates encryption keys and configures the repository to encrypt all data.

Synopsis

dits encrypt-init [OPTIONS]

Options

--key-file <PATH>   Use existing key file
--password          Use password-based encryption
--hardware-key      Use hardware security key (YubiKey, etc.)
--algorithm <ALG>   Encryption algorithm (default: aes-256-gcm)
--kdf <KDF>         Key derivation function (default: argon2id)
-v, --verbose       Show detailed setup

Examples

# Initialize with password
$ dits encrypt-init --password

Initializing repository encryption...

Enter encryption password: ********
Confirm password: ********

Encryption Configuration:
  Algorithm:    AES-256-GCM
  KDF:          Argon2id (memory: 256MB, iterations: 3)
  Key Storage:  Password-protected

Generating master key... done
Encrypting existing objects... 100% ████████████████████

Encryption initialized successfully!

<span className="flex items-center gap-2"><AlertTriangle className="h-4 w-4" /> IMPORTANT: If you lose your password, your data cannot be recovered.</span>
   Consider backing up your key file at: .dits/keys/master.key

# Initialize with key file
$ dits encrypt-init --key-file ~/secrets/project.key

Using key file: ~/secrets/project.key
Encryption initialized.

# Initialize with hardware key
$ dits encrypt-init --hardware-key

Waiting for hardware key...
Touch your YubiKey...
Hardware key detected: YubiKey 5 NFC

Encryption initialized with hardware key protection.

dits encrypt-status

Show the encryption status of the repository, including algorithm, key configuration, and encrypted object statistics.

Synopsis

dits encrypt-status [OPTIONS]

Options

--json              Output as JSON
-v, --verbose       Show detailed information

Examples

$ dits encrypt-status

Encryption Status: ENABLED

Configuration:
  Algorithm:        AES-256-GCM
  Key Derivation:   Argon2id
  Key Protection:   Password
  Initialized:      2025-01-15 14:30:00

Keys:
  Master Key:       Active (password-protected)
  Key Rotation:     Never rotated
  Recovery Key:     Configured

Session:
  Logged in:        Yes
  Session expires:  8 hours
  Key cached:       Yes (in memory)

Encrypted Objects:
  Chunks:           45,892 (100%)
  Assets:           156 (100%)
  Commits:          Metadata only

Storage:
  Encrypted size:   234.5 GB
  Overhead:         ~0.1% (for encryption metadata)

# When not logged in
$ dits encrypt-status

Encryption Status: ENABLED (LOCKED)

You are not logged in.
Run 'dits login' to unlock the repository.

dits login

Unlock the repository encryption keys. Required before reading or writing encrypted data.

Synopsis

dits login [OPTIONS]

Options

--key-file <PATH>   Use key file instead of password
--ttl <DURATION>    Session duration (default: 8h)
--no-cache          Don't cache credentials
-v, --verbose       Show detailed login info

Examples

# Login with password
$ dits login

Repository is encrypted.
Enter password: ********

Unlocking repository... done

Logged in successfully.
Session expires: 8 hours
Key cached in memory.

# Login with key file
$ dits login --key-file ~/secrets/project.key

Unlocking with key file... done
Logged in successfully.

# Login with extended session
$ dits login --ttl 24h

Enter password: ********
Session expires: 24 hours

# Login with hardware key
$ dits login

Hardware key detected.
Touch your YubiKey...
Logged in successfully.

dits logout

Clear cached encryption keys and end the session. Recommended when leaving your workstation or sharing access.

Synopsis

dits logout [OPTIONS]

Options

--all               Logout from all repositories
-f, --force         Force logout (don't prompt)

Examples

# Logout from current repository
$ dits logout

Clearing cached keys... done
Logged out successfully.

The repository is now locked.
Run 'dits login' to unlock.

# Logout from all repositories
$ dits logout --all

Logging out from 3 repositories...
  /path/to/project1... done
  /path/to/project2... done
  /path/to/project3... done

All sessions ended.

dits change-password

Change the encryption password. The underlying encryption key remains the same; only the password protecting it changes.

Synopsis

dits change-password [OPTIONS]

Options

--verify-old        Require old password verification
-v, --verbose       Show detailed information

Examples

$ dits change-password

Changing encryption password...

Enter current password: ********
Enter new password: ********
Confirm new password: ********

Validating current password... done
Updating key protection... done

Password changed successfully.

Note: This does not re-encrypt existing data.
The underlying encryption key remains the same.

How Encryption Works

Encryption Architecture:

                    ┌─────────────────┐
                    │   Your Files    │
                    └────────┬────────┘
                             │
                    ┌────────▼────────┐
                    │    Chunking     │
                    └────────┬────────┘
                             │
           ┌─────────────────┼─────────────────┐
           │                 │                 │
    ┌──────▼──────┐   ┌──────▼──────┐   ┌──────▼──────┐
    │   Chunk 1   │   │   Chunk 2   │   │   Chunk N   │
    └──────┬──────┘   └──────┬──────┘   └──────┬──────┘
           │                 │                 │
    ┌──────▼──────┐   ┌──────▼──────┐   ┌──────▼──────┐
    │  Encrypt    │   │  Encrypt    │   │  Encrypt    │
    │ AES-256-GCM │   │ AES-256-GCM │   │ AES-256-GCM │
    └──────┬──────┘   └──────┬──────┘   └──────┬──────┘
           │                 │                 │
           └─────────────────┼─────────────────┘
                             │
                    ┌────────▼────────┐
                    │  Encrypted      │
                    │  Storage        │
                    │  (.dits/objects)│
                    └─────────────────┘

Key Hierarchy:
  Master Key (protected by password/hardware key)
    └── Repository Key (encrypted by master)
          └── Per-chunk keys (derived from content + repo key)

Convergent Encryption

Dits uses convergent encryption to maintain deduplication benefits. Identical chunks encrypt to identical ciphertext, allowing deduplication to work on encrypted data.

# Same content = same encrypted chunk

chunk_key = HKDF(repo_key, content_hash)
ciphertext = AES-256-GCM(chunk_key, content)

Benefits:
  ✓ Deduplication still works
  ✓ Same storage efficiency as unencrypted
  ✓ No information leakage about content

Trade-offs:
  ⚠ Identical files across repos can be detected
  ⚠ Per-repo salt prevents cross-repo dedup

Security Recommendations

  • Use strong passwords: At least 16 characters with mixed case, numbers, symbols
  • Back up your keys: Store recovery key in a secure, separate location
  • Use hardware keys: For maximum security, use YubiKey or similar
  • Logout when away: Clear cached keys when leaving your workstation
  • Rotate keys periodically: Consider key rotation for long-lived repositories

Related Commands

Related Topics