More detailed general architecture for decryption of file content

[dawehner]

Here is a more specific architecture for decrypting file content and making it flexible within Drupal.

• Implement a route like encrypt.files which allows code to link to our encrypted file URL. In this URL we could encode the profile, so something like /encrypt/{key_profile_name}/{path}
• In the controller for that route, use encrypt://{key_profile_name}/{path} as URL, but keep mostly the existing implementation of \Drupal\system\FileDownloadController::download to keep everything in the scope of Drupal
• stream wrapper that looks like : encrypt://{key_profile}/path/... This calls out to the decrypt method itself:
  • The decryption supports streaming: Stream in the file content via the decryption.
  • Decryption doesn't support streaming, load the file and decrpyt it via ->decrypt directly, basically exactly how http://cgit.drupalcode.org/encrypted_files/tree/includes/EncryptedStreamWrapper.inc is dealing with it.

    A streaming interface

In order to make streaming as easy as possible one could use basically https://github.com/paragonie/halite/blob/master/src/Contract/StreamInterface.php as interface for description streaming.

What do you think about this more low level details?

[nerdstein]

There is nothing that stands out to me as being problematic with this approach. We certainly need to have some good error correction in the event that someone passes a bogus encryption profile. I think "key_profile" should actually be "encryption_profile", which is a wrapper for the encryption algorithm and the selected key.

[nerdstein]

Like anything else, I say we give it a shot. We may find limitations but we can cross that bridge when we get to it.

[dawehner]

Started with some initial implementation. What are your thoughts so far?

[nerdstein]

Feedback applied but overall this is a good start