search

jhaals / yopass

Secure sharing of secrets, passwords and files
https://yopass.se
Apache License 2.0
1.79k stars 278 forks source link

feature request: decrypt only / restrict who can encrypt? #1635

Open cloud-aware opened 1 year ago

cloud-aware commented 1 year ago

I successfully deployed yopass to S3/Lambda - but was wondering - is there an easy method of restricting who can encrypt new secrets while allowing anyone to decrypt?

semaja2 commented 11 months ago

+1 on this, to expand on a use case, this would prevent the tool being abused as a phising vector

Eg. malicious actor encrypts a message with malware download link etc, then uses the encrypted message hosted on the companies portal to look legit

cloud-aware commented 11 months ago

fwiw we made some modifications to the code to make a unique URI/location for the encrypt (CreateSecret and Upload) as a workaround solution for now. Probably not fully obfuscated, but makes it more difficult (these are example GUIDs and not the ones I actually used):

in website/src/Routing.tsx:

import { Route, Routes } from 'react-router-dom';

import CreateSecret from './createSecret/CreateSecret';
import DisplaySecret from './displaySecret/DisplaySecret';
import Upload from './createSecret/Upload';

export const Routing = () => {
  return (
    <Routes>
      <Route path="/cbf916be-a754-454a-bbe3-a6e0d0734d15" element={<CreateSecret />} />
      <Route path="/c64f368b-2fc2-4517-ac25-3e12a85073aa/upload" element={<Upload />} />
      <Route path="/:format/:key/:password" element={<DisplaySecret />} />
      <Route path="/:format/:key" element={<DisplaySecret />} />
    </Routes>
  );
};