Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Share encrypted file #149

Open
markg85 opened this issue Dec 23, 2022 · 5 comments
Open

Share encrypted file #149

markg85 opened this issue Dec 23, 2022 · 5 comments

Comments

@markg85
Copy link

markg85 commented Dec 23, 2022

Hi,

As i understand the design, each file is encrypted with it's own key (derived from the master key).

Would it be possible in this mechanism to create a "share" function?

In public/private cryptography this would be as "simple" as encrypting that file's encryption key with someone else's public key.
That someone else then would place the encrypted file in it's own "securefs" folder. As the file would be encrypted against the "target public key", that folder - who can access the private key - should then be able to read the data from the shared file.

Now this share function is much described as how i know public=private key cryptography. It's not a thing in securefs a far as i know. But still, would it be possible to create a sort of share function with the cryptography it uses already?

Best regards,
Mark
@netheril96
Copy link
Owner

How do you plan the UX for this?

@markg85
Copy link
Author

markg85 commented Dec 24, 2022

For this to make sense, some terminology first.
Say the "host" is the one having data to share.
Say the "op" (other party) is the receiving end of a share.
Say both "host" and "op" have a public/private keypair and both have their instance of securefs.

If the host wants to share a file (let's call it "cats.gif") it does this:
securefs share <file> <op public key>

Or more verbose:
securefs share cats.gif ~/.ssh/op.pub

This action should give "something" as data that the client needs to receive. So the "share" method in securefs is going to return a "data" blob.
Here you can go 2 routes:

  1. The data blob is merely some metadata like publickeys of both parties, sign, and the encrypted filename as blob.
  2. The data can be the file + additional metadata.

I'm picking option 2 for this example because it's easier transfer wise.

On the op side you'd do:
`securefs import

The op can decrypt it because the host encrypted it with the ops public key.

op now has a file called cats.gif and can view/use it however op wants.

Ideally cats.gif is never re-encrypted in this share mechanism. That would be possible if cats.gif is encrypted with it's own (but derived) AES key.

@netheril96
Copy link
Owner

You can do the same thing with gpg already. The only benefit of securefs in that scenario is to avoid re-encryption. But that is a very minor benefit given how fast encryption is, so I fail to see the appeal.

@markg85
Copy link
Author

markg85 commented Dec 25, 2022

That is spread over multiple tools with quite a steep learning curve (gpg) to even consider using it.
Having it mostly all in one tool would make it much easier to use. The only part not in securefs would be the transferring from host to op or vise verse.

@netheril96
Copy link
Owner

The learning curve of GPG comes with the concept and the management of public/private key pairs. Moving that functionality to securefs does not lower the bar at all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@markg85 @netheril96