Encrypted files at rest

liquid-metal commented 9 months ago

🚀 Feature Request

When a file is pushed, it should be possible to select (or force by configuration) that the file is stored encrypted in whatever storage is configured.

🔈 Motivation

Users might expect files in password pusher to be shared securely (not only the access), so in my opinion it is logical to share files with sensitive content. Especially when using external storage, it might be desirable to have the files on the storage encrypted. This is an improvement to security from the moment where the storage is on another host than the application itself. This might further be improved by deriving the encryption key from a lockdown passphrase.

Incorrectly configured S3 leads to countless data leaks; this might even become worse when using some kind of self hosted storage which might not be as well-integrated into an IAM as a cloud-hosted offer.

🛰 Alternatives

Require the user to encrypt files? Sounds not so viable to me.

📎 Additional context

I am aware of the optimization mentioned in the config document that the browser can send files to an external storage directly. I can imagine multiple ways to deal with that

remove it - but this will put an avoidable strain on the application server
conditionally uploading the file to storage or to the application itself, depending whether it needs to be encrypted or not
always encrypt in the browser. Although, this would have to be approached with extreme care, as this would either require sending secret key material from the server to the browser, and/or relying on good mechanisms and user passphrases for local encryption. Though not as big as a concern, this might impact lower-end clients, although I suggest that modern smartphones will be able to handle well-written JS encryption, and not many people are going to try sharing a file from an ancient computer or a washing machine.

pglombardo commented 9 months ago

Great feature request - I agree this would be ideal although not the easiest thing to implement so it will take some careful thought and planning. Having the encryption key potentially tied to the lockdown passphrase is a good idea too. I'll give it all some thought.

pglombardo commented 7 months ago

Password Pusher uses lockbox for data encryption and it supports ActiveStorage encryption (file uploads): https://github.com/ankane/lockbox?tab=readme-ov-file#active-storage

pglombardo / PasswordPusher