Security

MediaGit security model and best practices.

Authentication

Local: File system permissions
Server mode: JWT tokens + API key authentication
Cloud: IAM roles, service principals, API keys

Data Integrity

SHA-256 hashing for all objects
Cryptographic verification on read
mediagit verify for repository health

Encryption

At-rest (client-side): AES-256-GCM with Argon2id key derivation
At-rest (cloud): Cloud provider encryption (SSE-S3, Azure SSE)
In-transit: TLS 1.3 for network operations

Best Practices

Use IAM roles (avoid hardcoded keys)
Enable bucket versioning
Regular mediagit verify checks
Restrict branch protection rules
Audit logs for sensitive repositories

See Configuration Reference for security settings.