In this tutorial, we will build a ftp Service with data at rest encryption. that’s mean all the file was encrypted at FTP server.
This is what you need:
- Encryption As A Services (You can find a tutorial on how to create it in the last blog #81, also you can change with other eaas )
- pyftpdlib (use it to build a ftp services)
- pycryptodome (use it to do a local encryption/decryption function)
- docker (as run time, also you can run it in your localhost)
As you can see in this picture, we are going to use linux system authentication to verify user and use file system as the storage backend. that’s mean you can integrated the auth part with linux system but not to modified the services code.
Here is the sequence diagram. as you can see in the below picture, it was mainly with 3 parts. and here’s a brief introduction.
At the login part, FTP Service will check the kek file path for each user at each login, and decrypt the KEK string to get user’s AES key, then use AES key to decrypt user’s file.
KEK file should be created on the user’s first login, and updated KEK file content with generate random AES key and encrypted it by RSA Key
At the upload part, ftp service was able to handle this event with a pipeline. for example, you can create a malware detection services for each new file. then encrypted it with user’s AES key.
At the logout part, there was two main things. one is to encrypt all unencrypted files. then encrypt the AES key by RSA key and save it
Before we talking about encrypt & decrypt, you should know some basic crypto algorithms.
AES is a common crypto algorithm.
AES was a symmetric algorithms , that’s mean you can use one aes key to encrypt/decrypt file.
RSA was a asymmetric algorithms , and you can use public key to encrypt some message, but only able to use private key to decrypt that. in this case, we use
RSA to protected the
AES key which is really used to encrypt and decrypt files.
here is a encrypted key
➜ keks git:(main) cat .8b1c1c1eae6c650485e77efbc336c5bfb84ffe0b0bea65610b721762.secret
- Key Encrypt/Decrypt
Here is the sample code for encrypt key, also you can change it with your own service.
- File Encrypt/Decrypt
Here is sample code to encrypt file and decrypt file. in this case, we are use
pycryptodometo do a local encryption/decryption. There is no doubt that it will increase the speed compared with the use of encryption services.
also, as you can see, this class was Inherited from
TLS_FTPHandler, that’s mean it was able to enable FTP over TLS feature.
we can build a service easily with docker, So I’ve been using docker to build services recently.
here is the
test: ["CMD", "curl", "-f", "http://mo.vault.eaas:8443"]
if you want access some container services within another container, you should specialized the network link.
Now, we can run it with
rm -rf local/tokens/user02 local/dropzone && docker-compose --env-file ./config/.env.dev build
for the whole demo, you can see this recorder:
tricks: it was recored with
asciinema, and you can modified the cast file to delete some personal info.
In this blog, we use
eaas to build a FTP services with DARE (you can find the whole project code with this project code). Maybe FTP is a little out of date, but it’s still a good example to explain how we build a service to support data at rest encryption. and you can use
sftp to do another demo, just handle the login/logout put/download event. Also, you can change the backend with s3 fs, and integrated Auth with LDAP, and so on.