1

I want to store sensitive data on on my (public) linux server. Also, I want to be able to access the data from different locations and different OS without much hassle. I thought about using a (simple) web-form, maybe also a samba-share which is hidden behind a VPN. Since I want to access the data very sparsely, I would also prefer a system where the data is always encrypted and is decrypted only if I want to access it.

Most solutions for data encryption I found do not seem to fulfil the latter criterium: The way I understood systems like LUKS or EncFS, they are usually holding a decrypted copy of the files. Also, I would like to have a lean system, which does not come with much overhead. Owncloud would probably do something like I'm looking for, but also comes with a lot of administration.

After thinking about the problem some time I came up with the following idea:

Encryption

  • Encrypt the data using a random key and EncFS
  • Encrypt the key using RSA and my public certificate and put it on a (public?) website.
  • Forget the key.

Data-Access

  • Open the website and copy-paste the key
  • Decrypt the key using a private certificate and a smart-card
  • Fill-in the decrypted key in a textbox on the website
  • Now a script either mounts the EncFs-Volume in a samba-share (see above) or in a directory of the webpage which is protected using .htaccess.

How secure would such a system be? I would assume that the critical part is the one where the data is decrypted, but accessible. My questions are now the following:

  • Did I overlook something in the system which generates security problems?
  • How secure is .htaccess protection on a nginx web server? Are there ways to improve the part where I access the files?
  • If there should be existing solutions to my problem I did not find, please tell me.

Looking forward to hearing from you!

check0104
  • 13
  • 2

1 Answers1

0

A couple of pointers:

  • Using SAMBA significantly reduces your security. for what you propose SSH would be a better fit (when utilizing Public keys)
  • nginx does NOT use .htaccess (and htaccess is horrible for performance and security). you should configure everything in the (virtual-) host directives. (so in the /etc/nginx/sites-available for most *NIX'es)
  • When utilizing SSH you could use a shell, and than GPG encryption could be utilized to protect your file (with the bonus of not having to disclose your public certificate, which could tip an attacker, before entering your system, that you are using it for encryption of a specific file)
  • Usability wise your solution is a lot of steps. many of which add no (additional) security at all. I would suggest you look into jails / chroot for additional levels of protection.
LvB
  • 8,217
  • 1
  • 26
  • 43
  • Yes, these are some good points. I was not aware that auth_basic is so insecure. But my intention was not to add additional security, but to make the files easier to access from a remote location, where I perhaps do not have ssh access. Is there a way to achieve this? – check0104 May 04 '15 at 12:13
  • Do you mean as in the port is being blocked? or not having the software? port you can bypass with for example a https/ssh broker or just running ssh on port 80 or port 443. Software is widespread on *NIX, on windows you could use putty (standalone on a stick) – LvB May 04 '15 at 12:37
  • Originally I was looking for a solution where I can access my files from a simple web-browser while still storing them securely. But even in my proposed solution the key-card needs some additional setup. So I guess I am going to follow the references you gave concerning jails and chroot. Thanks! – check0104 May 04 '15 at 12:48