$PERMA is live now.
permagit Docs
XNPMGo to Website

Private Repositories

By default, all data uploaded to Arweave is public. This is ideal for open-source projects, but not for proprietary or sensitive code.

Permagit solves this by providing robust, end-to-end encryption for your private repositories, using your Solana wallet as the root of your cryptographic identity.

How Wallet-Based Encryption Works

Permagit uses a "1:1 encryption key" system. This means that a unique, deterministic symmetric encryption key is derived directly from your Solana wallet's private key.

  1. Key Derivation: When you designate a repository as private, Permagit uses your private key (from your keypair file) to sign a static, predefined message. This signature, which is unique and secret to you, is then used as the source entropy to generate a powerful symmetric encryption key (e.g., AES-256).

  2. Local Encryption: Before any of your data leaves your machine, the permagit CLI bundles your Git objects (as described in Page 4) and then encrypts this entire bundle using the derived key.

  3. Encrypted Upload: Only the encrypted bundle is uploaded to Arweave via Irys.

The result is that your repository is permanently stored on Arweave, but its contents are unreadable ciphertext to everyone else. Only the person holding the specific Solana wallet that created the repository can derive the key needed to decrypt it.

Warning: This 1:1 key derivation is a double-edged sword. If you lose access to your Solana wallet's keypair file, you lose the ability to derive the encryption key. You will permanently lose access to your private code. There is no "forgot password" or recovery mechanism.

Creating and Pushing a Private Repository

The process is nearly identical to pushing a public repo, with one key difference during initialization.

Step 1: Initialize as a Private Repo

When you first set up Permagit in your local Git repository, add the --private flag to the init command.

# In your project's root directory
permagit init --private

This command does two things:

  • Sets up the permagit remote (like before).

  • Adds an entry to your local .git/config file, flagging this repository for encryption on all future pushes.

If you have already initialized a repository, you can run permagit private on to switch it to private mode.

Step 2: Push as Usual

You do not need to add any special flags to your push command. The permagit CLI will automatically check the configuration, see the "private" flag, and handle the entire encryption process before uploading.

# Make your commits
git add .
git commit -m "My secret feature"

# Push to the permaweb
git push permagit main

The CLI will confirm that the upload is being encrypted:

Pushing to permagit (Arweave via Irys)...
Repository marked as private. Deriving encryption key from wallet...
Encrypting bundle...
Bundling 18 git objects...
Upload complete! (Encrypted)
Arweave Transaction ID: [Encrypted-Repo-TX-ID]
...

Cloning a Private Repository

Cloning a private repository is just as simple, provided you are logged in with the correct wallet (as shown in Page 3).

permagit clone [Encrypted-Repo-TX-ID]

The CLI will download the encrypted bundle from Arweave, automatically derive the same decryption key from your wallet, and decrypt the data locally, restoring your Git repository. If you try to clone a private repo without the correct wallet, the command will fail.

PreviousPushing Your First Permanent RepositoryNextAdvanced Topics

Last updated