Store Encrypted Files - SSH

This is a discussion on Store Encrypted Files - SSH ; Hi guys, I have a couple of questions concerning sending and storing encypted files on a server. What i would like to do is have 1) a client (preferably browser) encrypt files, 2) send this securely to a server and ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: Store Encrypted Files

  1. Store Encrypted Files

    Hi guys,

    I have a couple of questions concerning sending and storing encypted
    files on a server.

    What i would like to do is have
    1) a client (preferably browser) encrypt files,
    2) send this securely to a server and
    3) let the server store this encrypted file,
    4) let the client download his encrypted file and decrypt it.

    A major requirement is, the encryption key can (should) never be know
    by the server !

    I have been looking at several options like https, sftp, ssl,...
    But i feel like a noob when it comes to security.

    Now my questions to you experts out there

    1) Is it possible to store encrypted files over ssl, knowing that the
    server can't automatically decrypt?
    i have found this thread somewere else saying it is not possible
    http://channel9.msdn.com/ShowPost.aspx?PostID=260779
    2) I want to use a browser to upload files to the server, but since
    https isn't really a file transfer protocol, would this be a good idea?
    Could the same requirements be met using sftp?
    3) Where is the best way to get started using the proposed solution, in
    other words, where can i find good documentation?

    THX guys!


  2. Re: Store Encrypted Files

    tim.de.roock@gmail.com wrote:
    > Hi guys,
    >
    > I have a couple of questions concerning sending and storing encypted
    > files on a server.
    >
    > What i would like to do is have
    > 1) a client (preferably browser) encrypt files,
    > 2) send this securely to a server and
    > 3) let the server store this encrypted file,
    > 4) let the client download his encrypted file and decrypt it.
    >
    > A major requirement is, the encryption key can (should) never be know
    > by the server !
    >
    > I have been looking at several options like https, sftp, ssl,...
    > But i feel like a noob when it comes to security.
    >
    > Now my questions to you experts out there
    >
    > 1) Is it possible to store encrypted files over ssl, knowing that the
    > server can't automatically decrypt?
    > i have found this thread somewere else saying it is not possible
    > http://channel9.msdn.com/ShowPost.aspx?PostID=260779
    > 2) I want to use a browser to upload files to the server, but since
    > https isn't really a file transfer protocol, would this be a good idea?
    > Could the same requirements be met using sftp?
    > 3) Where is the best way to get started using the proposed solution, in
    > other words, where can i find good documentation?
    >
    > THX guys!
    >


    Sounds like you want GnuPG. Can be downloaded for free at
    http://www.gnupg.org/.

  3. Re: Store Encrypted Files

    Chuck wrote:
    > tim.de.roock@gmail.com wrote:
    >> Hi guys,
    >>
    >> I have a couple of questions concerning sending and storing encypted
    >> files on a server.
    >>
    >> What i would like to do is have
    >> 1) a client (preferably browser) encrypt files,
    >> 2) send this securely to a server and
    >> 3) let the server store this encrypted file,
    >> 4) let the client download his encrypted file and decrypt it.
    >>
    >> A major requirement is, the encryption key can (should) never be know
    >> by the server !
    >>
    >> I have been looking at several options like https, sftp, ssl,...
    >> But i feel like a noob when it comes to security.
    >>
    >> Now my questions to you experts out there
    >>
    >> 1) Is it possible to store encrypted files over ssl, knowing that the
    >> server can't automatically decrypt?
    >> i have found this thread somewere else saying it is not possible
    >> http://channel9.msdn.com/ShowPost.aspx?PostID=260779
    >> 2) I want to use a browser to upload files to the server, but since
    >> https isn't really a file transfer protocol, would this be a good idea?
    >> Could the same requirements be met using sftp?
    >> 3) Where is the best way to get started using the proposed solution, in
    >> other words, where can i find good documentation?
    >>
    >> THX guys!
    >>

    >
    > Sounds like you want GnuPG. Can be downloaded for free at
    > http://www.gnupg.org/.


    I should point out that this requires you to do the encryption and
    decryption manually on your client. One advantage is that you don't need
    to use an secured network protocol to transfer the file. It was
    encrypted before it ever hit the network.

  4. Re: Store Encrypted Files


    Chuck schreef:

    > Chuck wrote:
    > > tim.de.roock@gmail.com wrote:
    > >> Hi guys,
    > >>
    > >> I have a couple of questions concerning sending and storing encypted
    > >> files on a server.
    > >>
    > >> What i would like to do is have
    > >> 1) a client (preferably browser) encrypt files,
    > >> 2) send this securely to a server and
    > >> 3) let the server store this encrypted file,
    > >> 4) let the client download his encrypted file and decrypt it.
    > >>
    > >> A major requirement is, the encryption key can (should) never be know
    > >> by the server !
    > >>
    > >> I have been looking at several options like https, sftp, ssl,...
    > >> But i feel like a noob when it comes to security.
    > >>
    > >> Now my questions to you experts out there
    > >>
    > >> 1) Is it possible to store encrypted files over ssl, knowing that the
    > >> server can't automatically decrypt?
    > >> i have found this thread somewere else saying it is not possible
    > >> http://channel9.msdn.com/ShowPost.aspx?PostID=260779
    > >> 2) I want to use a browser to upload files to the server, but since
    > >> https isn't really a file transfer protocol, would this be a good idea?
    > >> Could the same requirements be met using sftp?
    > >> 3) Where is the best way to get started using the proposed solution, in
    > >> other words, where can i find good documentation?
    > >>
    > >> THX guys!
    > >>

    > >
    > > Sounds like you want GnuPG. Can be downloaded for free at
    > > http://www.gnupg.org/.

    >
    > I should point out that this requires you to do the encryption and
    > decryption manually on your client. One advantage is that you don't need
    > to use an secured network protocol to transfer the file. It was
    > encrypted before it ever hit the network.


    Chuck, thx for your reply!

    I thought about that technique also,
    and indeed, uploading and downloading do not neccesarily require a
    secure protocol.
    But this technique implies a client that is capable of encrypting the
    files before uploading, and because i do not want to use javascript
    (clients turn them on and of as they please) i guess i'm stuck with a
    fat client application.
    But still i would like to find a solution to use a web interface !

    More help appreciated


  5. Re: Store Encrypted Files

    tim.de.roock@gmail.com wrote:
    > Chuck schreef:
    >
    >> Chuck wrote:
    >>> tim.de.roock@gmail.com wrote:
    >>>> Hi guys,
    >>>>
    >>>> I have a couple of questions concerning sending and storing encypted
    >>>> files on a server.
    >>>>
    >>>> What i would like to do is have
    >>>> 1) a client (preferably browser) encrypt files,
    >>>> 2) send this securely to a server and
    >>>> 3) let the server store this encrypted file,
    >>>> 4) let the client download his encrypted file and decrypt it.
    >>>>
    >>>> A major requirement is, the encryption key can (should) never be know
    >>>> by the server !
    >>>>
    >>>> I have been looking at several options like https, sftp, ssl,...
    >>>> But i feel like a noob when it comes to security.
    >>>>
    >>>> Now my questions to you experts out there
    >>>>
    >>>> 1) Is it possible to store encrypted files over ssl, knowing that the
    >>>> server can't automatically decrypt?
    >>>> i have found this thread somewere else saying it is not possible
    >>>> http://channel9.msdn.com/ShowPost.aspx?PostID=260779
    >>>> 2) I want to use a browser to upload files to the server, but since
    >>>> https isn't really a file transfer protocol, would this be a good idea?
    >>>> Could the same requirements be met using sftp?
    >>>> 3) Where is the best way to get started using the proposed solution, in
    >>>> other words, where can i find good documentation?
    >>>>
    >>>> THX guys!
    >>>>
    >>> Sounds like you want GnuPG. Can be downloaded for free at
    >>> http://www.gnupg.org/.

    >> I should point out that this requires you to do the encryption and
    >> decryption manually on your client. One advantage is that you don't need
    >> to use an secured network protocol to transfer the file. It was
    >> encrypted before it ever hit the network.

    >
    > Chuck, thx for your reply!
    >
    > I thought about that technique also,
    > and indeed, uploading and downloading do not neccesarily require a
    > secure protocol.
    > But this technique implies a client that is capable of encrypting the
    > files before uploading, and because i do not want to use javascript
    > (clients turn them on and of as they please) i guess i'm stuck with a
    > fat client application.
    > But still i would like to find a solution to use a web interface !
    >
    > More help appreciated
    >


    If it's a windows environment, windows has encryption built in. Just go
    to the properties dialog for the file or folder, click advanced, and
    then "encrypt contents".

  6. Re: Store Encrypted Files

    On 8 Jan 2007 04:33:43 -0800
    tim.de.roock@gmail.com wrote:

    > Hi guys,
    >
    > I have a couple of questions concerning sending and storing encypted
    > files on a server.


    http://www.securitybulletins.com/med...rypted_Backups
    is an article I wrote explaining the basics of using GPG to store
    backups in an encrypted format using GPG. It might be helpful to you
    with your project.

    Doug

    --
    For UNIX, Linux and security articles
    visit http://SecurityBulletins.com/

  7. Re: Store Encrypted Files

    >
    > tim.de.roock@gmail.com wrote:
    > > Chuck schreef:
    > >
    > >> Chuck wrote:
    > >>> tim.de.roock@gmail.com wrote:
    > >>>> Hi guys,
    > >>>>
    > >>>> I have a couple of questions concerning sending and storing encypted
    > >>>> files on a server.
    > >>>>
    > >>>> What i would like to do is have
    > >>>> 1) a client (preferably browser) encrypt files,
    > >>>> 2) send this securely to a server and
    > >>>> 3) let the server store this encrypted file,
    > >>>> 4) let the client download his encrypted file and decrypt it.
    > >>>>
    > >>>> A major requirement is, the encryption key can (should) never be know
    > >>>> by the server !
    > >>>>
    > >>>> I have been looking at several options like https, sftp, ssl,...
    > >>>> But i feel like a noob when it comes to security.
    > >>>>
    > >>>> Now my questions to you experts out there
    > >>>>
    > >>>> 1) Is it possible to store encrypted files over ssl, knowing that the
    > >>>> server can't automatically decrypt?
    > >>>> i have found this thread somewere else saying it is not possible
    > >>>> http://channel9.msdn.com/ShowPost.aspx?PostID=260779
    > >>>> 2) I want to use a browser to upload files to the server, but since
    > >>>> https isn't really a file transfer protocol, would this be a good idea?
    > >>>> Could the same requirements be met using sftp?
    > >>>> 3) Where is the best way to get started using the proposed solution, in
    > >>>> other words, where can i find good documentation?
    > >>>>
    > >>>> THX guys!
    > >>>>
    > >>> Sounds like you want GnuPG. Can be downloaded for free at
    > >>> http://www.gnupg.org/.
    > >> I should point out that this requires you to do the encryption and
    > >> decryption manually on your client. One advantage is that you don't need
    > >> to use an secured network protocol to transfer the file. It was
    > >> encrypted before it ever hit the network.

    > >
    > > Chuck, thx for your reply!
    > >
    > > I thought about that technique also,
    > > and indeed, uploading and downloading do not neccesarily require a
    > > secure protocol.
    > > But this technique implies a client that is capable of encrypting the
    > > files before uploading, and because i do not want to use javascript
    > > (clients turn them on and of as they please) i guess i'm stuck with a
    > > fat client application.
    > > But still i would like to find a solution to use a web interface !
    > >
    > > More help appreciated
    > >

    >
    > If it's a windows environment, windows has encryption built in. Just go
    > to the properties dialog for the file or folder, click advanced, and
    > then "encrypt contents".


    That will not help. The encryption is automatic at the filesystem level;
    when you read the file to send it, the contents are decrypted and returned
    to the reader.

    --
    Richard Silverman
    res@qoxp.net


  8. Re: Store Encrypted Files

    Doug Spencer schreef:

    > On 8 Jan 2007 04:33:43 -0800
    > tim.de.roock@gmail.com wrote:
    >
    > > Hi guys,
    > >
    > > I have a couple of questions concerning sending and storing encypted
    > > files on a server.

    >
    > http://www.securitybulletins.com/med...rypted_Backups
    > is an article I wrote explaining the basics of using GPG to store
    > backups in an encrypted format using GPG. It might be helpful to you
    > with your project.
    >
    > Doug
    >
    > --
    > For UNIX, Linux and security articles
    > visit http://SecurityBulletins.com/


    Doug, Thx for your reply,

    i read your article and it might come in handy for a future project,
    but if i understand correctly, you have 2 parties that provide
    public/private keys, in my case those 2 parties would be the client and
    the server, but as i stated in my original post, i do not want to do
    any encryption on the server. When the file arrives on the server it
    should already be encrypted!
    The way i see it,
    i have to do a streaming encryption, that is while my file is being
    uploaded, i encrypt it, like https or sftp, but i do not want the
    server to decrypt it.
    Or i do an encryption on the client, and then i upload it, but this
    would consume client processor time.
    So obvously the first option is my favourite, but it has to be possible
    technically.

    Chuck.
    I do not always know the nature of the client, this could be a mac,
    unix, windows, ...

    Greetings


  9. Re: Store Encrypted Files

    Richard E. Silverman wrote:
    >> tim.de.roock@gmail.com wrote:
    >>> Chuck schreef:
    >>>
    >>>> Chuck wrote:
    >>>>> tim.de.roock@gmail.com wrote:
    >>>>>> Hi guys,
    >>>>>>
    >>>>>> I have a couple of questions concerning sending and storing encypted
    >>>>>> files on a server.
    >>>>>>
    >>>>>> What i would like to do is have
    >>>>>> 1) a client (preferably browser) encrypt files,
    >>>>>> 2) send this securely to a server and
    >>>>>> 3) let the server store this encrypted file,
    >>>>>> 4) let the client download his encrypted file and decrypt it.
    >>>>>>
    >>>>>> A major requirement is, the encryption key can (should) never be know
    >>>>>> by the server !
    >>>>>>
    >>>>>> I have been looking at several options like https, sftp, ssl,...
    >>>>>> But i feel like a noob when it comes to security.
    >>>>>>
    >>>>>> Now my questions to you experts out there
    >>>>>>
    >>>>>> 1) Is it possible to store encrypted files over ssl, knowing that the
    >>>>>> server can't automatically decrypt?
    >>>>>> i have found this thread somewere else saying it is not possible
    >>>>>> http://channel9.msdn.com/ShowPost.aspx?PostID=260779
    >>>>>> 2) I want to use a browser to upload files to the server, but since
    >>>>>> https isn't really a file transfer protocol, would this be a good idea?
    >>>>>> Could the same requirements be met using sftp?
    >>>>>> 3) Where is the best way to get started using the proposed solution, in
    >>>>>> other words, where can i find good documentation?
    >>>>>>
    >>>>>> THX guys!
    >>>>>>
    >>>>> Sounds like you want GnuPG. Can be downloaded for free at
    >>>>> http://www.gnupg.org/.
    >>>> I should point out that this requires you to do the encryption and
    >>>> decryption manually on your client. One advantage is that you don't need
    >>>> to use an secured network protocol to transfer the file. It was
    >>>> encrypted before it ever hit the network.
    >>> Chuck, thx for your reply!
    >>>
    >>> I thought about that technique also,
    >>> and indeed, uploading and downloading do not neccesarily require a
    >>> secure protocol.
    >>> But this technique implies a client that is capable of encrypting the
    >>> files before uploading, and because i do not want to use javascript
    >>> (clients turn them on and of as they please) i guess i'm stuck with a
    >>> fat client application.
    >>> But still i would like to find a solution to use a web interface !
    >>>
    >>> More help appreciated
    >>>

    >> If it's a windows environment, windows has encryption built in. Just go
    >> to the properties dialog for the file or folder, click advanced, and
    >> then "encrypt contents".

    >
    > That will not help. The encryption is automatic at the filesystem level;
    > when you read the file to send it, the contents are decrypted and returned
    > to the reader.
    >


    Depends on what the server is being used for that he's talking about.
    It's beginning to sound like he just wants a file server to store
    encrypted documents. AFAIK EFS decrypts the file on the client,
    otherwise the server would need to get a copy of the certificate's
    private key somewhere in the process and if there were true, EFS would
    be worthless for security.

  10. Re: Store Encrypted Files

    In article <1168330346.858004.299470@11g2000cwr.googlegroups.c om>
    tim.de.roock@gmail.com writes:
    >Doug Spencer schreef:
    >
    >> On 8 Jan 2007 04:33:43 -0800
    >> tim.de.roock@gmail.com wrote:
    >>
    >> > Hi guys,
    >> >
    >> > I have a couple of questions concerning sending and storing encypted
    >> > files on a server.

    >>
    >> http://www.securitybulletins.com/med...rypted_Backups
    >> is an article I wrote explaining the basics of using GPG to store
    >> backups in an encrypted format using GPG. It might be helpful to you
    >> with your project.


    >i read your article and it might come in handy for a future project,
    >but if i understand correctly, you have 2 parties that provide
    >public/private keys,


    You don't understand correctly - in some cases of public/private key
    usage, there are two pairs of them (e.g. SSL/TLS when using client
    certificates), but this is not needed or even typical. Incidentally, the
    public/private keys are not used for the bulk encryption either in
    PGP/GPG or SSL/TLS, they're (as far as the encryption part goes) just
    used to allow sender and recipient to agree on a dynamically generated
    symmetric key for that.

    > in my case those 2 parties would be the client and
    >the server, but as i stated in my original post, i do not want to do
    >any encryption on the server. When the file arrives on the server it
    >should already be encrypted!


    If you replace the tape drive in Doug's text with your server, you get
    this situation - the server gets an encrypted data stream and dumps it
    to a file without "looking" at it. Later you can retrieve that file,
    which means that the client receives a stream of encrypted data that it
    can decrypt. In Unix/OpenSSH terms that could be as simple as

    gpg [enc-args] < secret_file | ssh user@host 'cat > encrypted_file'

    and

    ssh user@host cat encrypted_file | gpg [dec-args] > secret_file

    - gpg (and other tools) can also encrypt/decrypt without any use of
    public/private keys at all (i.e. you get to provide the symmetric key),
    but that is kind of beside the point.

    >The way i see it,
    >i have to do a streaming encryption, that is while my file is being
    >uploaded, i encrypt it, like https or sftp, but i do not want the
    >server to decrypt it.


    As can be deduced from Doug's text, and as shown above, gpg (and other
    tools) can certainly do streaming encryption, without any need for the
    other party to decrypt. But the transport encryptions of SSL/TLS (https)
    or SSH (sftp) are just that - transport encryptions. They can't be used
    by simply dumping the stream to a file and later decrypt that file.
    Among other things the stream includes protocol control information that
    must be processed by the receiving party, and at least for SSH the
    transport encryption must be undone to get at that information.

    >Or i do an encryption on the client, and then i upload it, but this
    >would consume client processor time.


    Hm, I assume that you mean that the client then gets to do both the file
    (or stream) encryption and the transport encryption? This is true, and
    the one you can't do without is the file/stream encryption. I.e. if this
    is a concern, you need to use a protocol without transport encryption -
    I think this was already pointed out, along with the fact that you don't
    need transport encryption per se since the content you're transporting
    is already encrypted, but that you probably still need to think about
    encryption to protect the authentication phase.

    I can't think of any protocols in common use that fits that bill very
    well - SSH with public-key authentication and cipher 'none', or SSL/TLS
    with client certificate authentication and cipher NULL could work, but
    those ciphers, while specified by the standards, are not normally
    available. And with current processors, the effort of this "double
    encryption", at "Internet speed", shouldn't be a problem (if you want to
    do it on a Gigabit Ethernet LAN, things may be different).

    --Per Hedeland
    per@hedeland.org

  11. Re: Store Encrypted Files

    On 9 Jan 2007 00:12:26 -0800
    tim.de.roock@gmail.com wrote:

    > Doug, Thx for your reply,
    >
    > i read your article and it might come in handy for a future project,
    > but if i understand correctly, you have 2 parties that provide
    > public/private keys, in my case those 2 parties would be the client and
    > the server, but as i stated in my original post, i do not want to do
    > any encryption on the server. When the file arrives on the server it
    > should already be encrypted!


    GPG is very flexible. You can encrypt a file against a public key and
    optionally sign it with a private key. The public key can be your own
    key or a single or multiple third party keys.

    Encrypting the file assures that it isn't readable by a party who
    doesn't have a private key that unlocks it. Just encrypting to a public
    key (even your own public key) doesn't normally require a pass-phrase.

    Encrypting and SIGNING the file with your private key assures that it
    isn't readable by a party who doesn't have a private key AND that it
    hasn't been tampered with while it was on the server. Since your public
    key is not a secret, anyone can encrypt something to you. The only way
    to assure that the data you get back is the same as what you put in, it
    needs to be signed. The signing step generally DOES generally require
    you to enter your pass-phrase.

    GPG also allows you to encrypt using a symmetric key with the
    --symmetric option. That will request a pass-phrase that is then used to
    encrypt the file. The same pass-phrase is used to decrypt the file as
    well. Using symmetric encryption, the pass-phrase is the key. Anyone
    with the pass-phrase can decrypt the file.

    From your description of your requirements, GPG sounds like the
    tool you should use. You do have to be careful of how you maintain your
    keys or your efforts are voided. With asymmetric encryption, the
    private key needs to be kept secret. With symmetric encryption, the
    pass-phrase must be provided to those with a need to know, and should
    obviously be different from your private key's pass-phrase.

    Doug

    --
    For UNIX, Linux and security articles
    visit http://SecurityBulletins.com/

+ Reply to Thread