- data encryption on rest
- CRUD REST API
- arbitrary accounts via HTTP Basic Auth
- client can read and write all filepaths for the current account
- user can build custom DIY webpages
- serve index.html for directories
- Server: starts with env var
secret_key
being a (base64 encoded) 32-octets random key - Client: sends HTTP request. No basic auth or cookie provided => must authenticate
- Client: sends basic auth with arbitrary
username
andpassword
- Server:
userSalt = hkdf(secret_key, salt=username)
- Server:
userKey = argon2id(password, salt=userSalt)
- Server: attach Cookie with value
userKey
to Client
- Client: GET file at
path
"/a/b.c" - Server:
filename = hkdf(userKey, salt=userSalt + path)
, checkpath
is not empty - Server: Serve file
filename
under webpathpath
(if it exists in filesystem) - Client: POST/PUT file
content
atpath
"/a/b.c" - Server: calculates
filename
, encrypts the filefile = aes256gcm(content, userKey, nonce)
and storesfile
under this path.file
is encrypted chunkwise with a newnonce
every 4MiB (plus PKCS#7 padding) - Client: DELETE file at
path
"/a/b.c" - Server: calculate
filename
and delete the file if it exists under this path
- Client: uses the Cookie (see 6.) in addition to basic auth
- Server: takes
username
from basic auth anduserKey
from cookie (rememberfilename
is constructed using bothusername
anduserKey
)
- Server-Admin: closes the registration
- Client: sends request with either (
username
,password
) or (username
,userKey
) - Server:
userFingerprint = hkdf(userKey, salt=userSalt)
- Server: check
userFingerprint
is on allowlist. if not, print (username
,userFingerprint
) to server log. the server-admin can then adduserFingerprint
to the allowlist
- User has to trust the webserver blindly (as with all web apps)
- Webserver doesn't have to trust the storage/backup provider (e.g. cloud)
- Storage provider can still see file count, sizes and metadata => can guess possible file content types by size and track general activities via timestamps
- add HTTPS for transport encryption
services:
crydrv:
image: ghcr.io/knrdl/crydrv:edge
restart: always
environment:
- OPEN_REGISTRATION=true # default: false
- MIN_PASSWORD_LENGTH=16 # default: 16
# - SECRET_KEY=... # generated on first start
ports:
- 8000:8000
volumes:
- ./data:/www # chown -R 1000:1000 ./data
mem_limit: 4g
memswap_limit: 4g
getting started: see webutils