Subversion Security


#1

How secure are Subversion repositories? Are they a safe place to backup sensitive files? Will using RapisSVN be less secure in some way than using the command line?


#2

Subversion at Dreamhost (and many other places) is just a special kind of HTTP traffic. Your repository data is transferred back and forth using the same methods that your website is. So the answer is no, it’s not particularly secure. I believe your password is sent to the server in plain text, similar to HTTP Basic Auth, and the file data is definitely not encrypted.

I would guess if you were to pay for a unique IP address for your subversion hostname, and set up SSL for it, that would work to encrypt your connections. But your sensitive data is still sitting unencrypted on a shared server - probably not ideal. If you want to store your sensitive files, I would suggest you encrypt them before you upload them, and keep the decryption keys to yourself, elsewhere.

I don’t think any particular method of accessing your repository is more or less secure, until you implement SSL and need a client supporting that feature.


#3

Alternately, you should be able to use svn+ssh instead of http, which should take care of the data transfer part.


If you want useful replies, ask smart questions.