search

balena-labs-research / secure-store

Secure Store is like a YubiKey for your network, providing encryption and remote decryption of files/folders and environment variables for entire IoT fleets.
MIT License
5 stars 0 forks source link

Is it possible to add more documentation to the README about where the different encryptions are triggered in the code? #4

Open u93 opened 1 year ago

u93 commented 1 year ago

I mean adding references to the code functions that provide the following encryptions referred in the text below: 

The files and folders are encrypted using [Rclone Crypt](https://github.com/rclone/rclone), which is also open source and available for your own auditing. Under the hood are [different encryption methods](https://rclone.org/crypt/) for different parts of the encryption (e.g. filenames vs files themselves) which utilise among others NaCl SecretBox based on XSalsa20 cipher and Poly1305 for integrity. It's content is encrypted using a randomly generated 1024 bit password which is unique for each device, and stored inside a configuration file. That configuration file is then encrypted with NaCl SecretBox using your own provided key generated from Secure Store and served by Secure Store Server to all your devices.

As with any encryption solution, this is not bullet proof. This project has been developed as a proof of concept designed to significantly increase the level of security of content, but does not make any guarantees.

In case everything is done by RClone Crypt is it possible to point to the functions that call it and make some references to that?

We find the need for this for understanding better the encryption process before applying to devices in our fleet

Thanks in advance!

maggie44 commented 1 year ago

Hmm, a good but complicated question. .

RClone is called to do the config encryption here: https://github.com/balena-labs-research/secure-store/blob/21c9ec2066d91139e39e538a3f837b073ee5ee42/cmd/secure-store/mount/mount.go#L42

RClone is called to create a mount folder here: https://github.com/balena-labs-research/secure-store/blob/21c9ec2066d91139e39e538a3f837b073ee5ee42/cmd/secure-store/mount/mount.go#L114

Once it creates a mount, anything put in to that folder is encrypted and then copied to another folder (the storage folder). When you run the docker command to encrypt your local content, it is basically just creating an RClone mount, copying your files from source/ in to the created mount, then taking the encrypted output and putting it in encrypted/.

I think it would be quite complex for most users to be reading about that sort of thing in the docs, I could end up opening up a whole can of worms trying to explain it all. I know that's not ideal.

u93 commented 1 year ago

Can I assume that all the encryption is done by RClone and not by the Golang code? I ask because there is quite the number of files for encryption in the source code, but those could be for generating the mTLS keys, etc

maggie44 commented 1 year ago

Three methods:

  1. MTLS keys done by Secure Store code: https://github.com/balena-labs-research/secure-store/blob/3a51a23b033c69c6687a4447303da3fd5161945a/cmd/secure-store/mtls/mtls.go#L14
  2. Files done by Rclone: https://github.com/balena-labs-research/secure-store/blob/3a51a23b033c69c6687a4447303da3fd5161945a/cmd/secure-store/mount/mount.go#L27
  3. String encryption used to encrypt environment variables, done by Secure Store code: https://github.com/balena-labs-research/secure-store/blob/3a51a23b033c69c6687a4447303da3fd5161945a/cmd/secure-store/encrypt/encrypt.go#L13

There are corresponding decrypt for some of those in the same places.

u93 commented 1 year ago

Great thanks for the info, will deep dive into those!