Comments (4)
Hi, could you help me understand your use case a bit more? It seems to me people will have access to same content and you're the one generating the password, so why doesn't providing one single password to all work? Is it in case one is compromised, then you can change only that one password without impacting access for the others?
from staticrypt.
Hi,
yes exactly. Our use case are API Docs being statically generated and at the moment we use simple htpasswd to generate logins for each entitiy and if one is compromised or should have no more access, we cpuld delete the key.
from staticrypt.
Thanks for detailing the need @martinseener. This sounds useful and like something StatiCrypt might want to support.
This is low priority compared to the other features moving towards v3 so I don't expect it to happen soon however. I put it in the roadmap backlog for now.
Anyone interested in this can feel free to submit a PR, though I'd recommend waiting for v3 to be here as the code will be cleaned up quite a bit then.
from staticrypt.
I thought about this some more and have an implementation lead. We can:
- generate a random encryption key
- use that key to encrypt the files
- encrypt that key with multiple passwords, storing the results alongside the encrypted file data
To decrypt, we try to decrypt all encrypted keys with the provided password. If one of them matches, then we use the decrypted key to decrypt the file data.
Since everything is happening client side the random encryption key is exposed each time someone decrypts the file. So to allow revoking access that key needs to change each time we encrypt our files (else someone could store that key at one point and keep using it even if their password no longer works).
In the meantime, the recommended way is to encrypt the file multiple times with multiple password and multiple output directories. The protected files can then be shared with their unique urls: https://example.com/john/test.html
, https://example.com/mary/test.html
, ...
I added a section in the FAQ showing what that could look like.
It looks like a pretty good workaround to me but let me know if that didn't fit your use case. Thanks!
from staticrypt.
Related Issues (20)
- Question: How do we modify the login page? HOT 5
- URL query is insecure HOT 3
- Security policy HOT 3
- [RFC] Raising PBKDF2 iterations, password strength and StatiCrypt security model HOT 3
- Upgrading your password_template
- Add custom styling HOT 3
- Support encrypting multiple files at once
- Change the CLI signature to be more consistent and flexible
- Remove as much of the code from password_template to allow non-breaking updates
- Make webcrypto engine the only available
- Add confirmation prompt when using a weak password
- Cannot destructure property 'subtle' of 'crypto' as it is undefined. HOT 11
- Missing Package in Latest Release 3.1.0 HOT 2
- Error: Cannot find module 'node:crypto' HOT 3
- Feature: Support usernames, with database HOT 6
- Nothing is happening when clicking "decrypt" on encrypted pages HOT 2
- The `--remember false` option does not work HOT 1
- Page not protected until reload HOT 7
- Question - Is it possible to still use CryptoJS? HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from staticrypt.