claude-code-sync/claude-enable-encryption at master · porkchop/claude-code-sync · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
#!/bin/bash
# Enable encryption for Claude Code conversations using git-crypt

set -e

# Save original directory
ORIGINAL_DIR="$(pwd)"

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

# Load library for version function
source "$SCRIPT_DIR/lib-claude-sync.sh"

# Handle --version flag
if [ "$1" = "--version" ] || [ "$1" = "-v" ]; then
    show_version "$SCRIPT_DIR" "claude-enable-encryption"
    exit 0
fi

KEY_PATH="$HOME/.claude-git-crypt.key"

echo "=== Claude Code Conversation Encryption Setup ==="
echo ""
echo "This will enable transparent encryption for your synced conversations."
echo "Files will be encrypted on the remote, decrypted automatically on your machines."
echo ""

# Check if git-crypt is installed
if ! command -v git-crypt &> /dev/null; then
    echo "Error: git-crypt is not installed."
    echo ""
    echo "Install it with:"
    echo "  sudo apt install git-crypt     (Ubuntu/Debian)"
    echo "  sudo dnf install git-crypt     (Fedora)"
    echo "  brew install git-crypt         (macOS)"
    echo ""
    cd "$ORIGINAL_DIR"
    exit 1
fi

REPO_DIR="$SCRIPT_DIR/conversations"

# Check if conversations repo exists
if [ ! -d "$REPO_DIR/.git" ]; then
    echo "Error: Conversations repository not initialized."
    echo "Run 'claude-sync-init' first to initialize the repository."
    cd "$ORIGINAL_DIR"
    exit 1
fi

cd "$REPO_DIR"

# Check if git-crypt is already initialized
if [ -d ".git/git-crypt" ]; then
    echo "Git-crypt is already initialized for this repository."
    echo ""

    # Check if we're currently unlocked
    if git-crypt status &>/dev/null; then
        echo "Status: Repository is unlocked (encryption active)"
    else
        echo "Status: Repository is locked (need to unlock)"
        echo ""
        echo "To unlock on this machine:"
        echo "  git-crypt unlock $KEY_PATH"
    fi

    cd "$ORIGINAL_DIR"
    exit 0
fi

# Warn about existing conversations
if [ "$(find . -type f -name '*.jsonl' | wc -l)" -gt 0 ]; then
    echo "WARNING: You have existing unencrypted conversations."
    echo ""
    echo "After enabling encryption:"
    echo "  1. Existing files will be encrypted on next commit"
    echo "  2. Old commits in git history will still be unencrypted"
    echo "  3. Consider creating a fresh repository if you want full encryption"
    echo ""
    read -p "Continue anyway? (yes/no): " CONFIRM
    if [ "$CONFIRM" != "yes" ]; then
        echo "Encryption setup cancelled."
        cd "$ORIGINAL_DIR"
        exit 0
    fi
fi

echo ""
echo "Initializing git-crypt..."
git-crypt init

echo "Configuring encryption for conversation files..."
cat > .gitattributes <<EOF
# Encrypt all conversation data
* filter=git-crypt diff=git-crypt
.gitattributes !filter !diff
.gitignore !filter !diff
EOF

git add .gitattributes

echo ""
echo "Exporting encryption key to: $KEY_PATH"
git-crypt export-key "$KEY_PATH"
chmod 600 "$KEY_PATH"

echo ""
echo "Committing git-crypt configuration..."
git commit -m "Enable git-crypt encryption for conversations"

echo ""
echo "=== Encryption Enabled Successfully! ==="
echo ""
echo "Your encryption key has been saved to: $KEY_PATH"
echo ""

# Create base64 encoded version for easy KeePass storage
KEY_BASE64="$KEY_PATH.base64"
base64 "$KEY_PATH" > "$KEY_BASE64"

echo "IMPORTANT - Back up your encryption key to KeePass NOW!"
echo ""
echo "Option 1: Store as KeePass attachment (recommended)"
echo "  1. Open KeePass and create a new entry: 'Claude Code Git-Crypt Key'"
echo "  2. Add attachment: $KEY_PATH"
echo "  3. Save the entry"
echo ""
echo "Option 2: Store as text in KeePass notes"
echo "  1. Open KeePass and create a new entry: 'Claude Code Git-Crypt Key'"
echo "  2. Copy the base64 key below and paste into Notes field:"
echo ""
echo "--- BEGIN BASE64 KEY (copy everything between the lines) ---"
cat "$KEY_BASE64"
echo "--- END BASE64 KEY ---"
echo ""
echo "To restore from base64 later, run:"
echo "  echo '<paste-key-here>' | base64 -d > ~/.claude-git-crypt.key"
echo ""
echo "WARNING: Without this key, you CANNOT decrypt your conversations!"
echo "         Make sure it's saved in KeePass before proceeding."
echo ""
read -p "Have you saved the key to KeePass? (yes/no): " SAVED

if [ "$SAVED" != "yes" ]; then
    echo ""
    echo "Please save the key to KeePass before continuing."
    echo "The base64 key is also saved at: $KEY_BASE64"
    echo ""
fi

echo ""
echo "Next steps:"
echo "  1. Run 'claude-sync-push' to sync the encrypted configuration"
echo "  2. On other machines, retrieve key from KeePass and save to ~/.claude-git-crypt.key"
echo "  3. Run 'git-crypt unlock ~/.claude-git-crypt.key' on each machine"
echo ""

cd "$ORIGINAL_DIR"