Execute encrypted files but don't let anybody read them

Question

I want to provide a virtual machine image with an installed web application. The user should be able to boot the vm (don't login, just boot) and a webserver should start automatically.

The point is I want to hide the (ruby) source code of the web application from everyone as there is no obfuscator for ruby.

I thought I could use file system encryption to encrypt the directory with the sourcecode (or even a whole partition). But the webserver user must be able to read it automatically after booting. Nobody is allowed to login as the webserver user (or any other user) so no other can read the contents.

My questions are now:

Is this possible?
Because I give away the whole vm everybody could mount its virtual discs and read them (except the encrypted one). Is it now possible to find the key the webserver user needs to decrypt the files and decrypt them manually? Or is it safe to give such a vm away?

The problem is that everything needed to decrypt must be included somewhere in the vm else the webserver cannot start automatically. Maybe I'm completely wrong and you have another tip for me securing the source code.

I have tried rubyeconder.com but it makes no sense for the requirements above. I also need a kind of obfuscator for ruby - but ruby is actually used inside Chef - configuration management - having the code obfuscated on the chef server - nothing works further - simply because Chef Anatomy run claims there are 2 phases: compile time and run time.. So obfuscated code could not further make a difference between the 2 phases. Have anyone found an obfuscator solution for Ruby under Chef configuration management? — , Jul 17 '11 at 12:01

score 4 · Answer 1 · answered Jan 13 '11 at 16:25

This is the same problem that the movie studios and the music studios have ran into. How do we let people "use" our product (in their case, watching and/or listening, in yours, executing) without them being able to use the product in a way that they don't want. You need DRM.

But as the MPAA and RIAA have learned, no matter what you do, somehow the key is always going to have to be given to the end user - no matter how you obfuscate it, no matter what requirements you put on it. Even requiring a different key every time doesn't work, or requiring the devices to 'check-in' with a remote server.

Instead, I suggest that you take a look at the reasons that you want encryption. Perhaps you would be better served by a different model than futility trying to defend the code. Software as a Service, perhaps, where you run the VMs for them? A subscription model where they pay for updates of the data that the application uses? A support model where you provide support as-needed on a contract basis?

SaaS is also a model I'll provide. But the type of application needs because of security reasons a local installation too. — Stebi, Jan 17 '11 at 08:45

score 1 · Accepted Answer · answered Jan 13 '11 at 17:26

1

A quick google search says there are ruby obfuscators - first one I came across:

http://www.rubyencoder.com/index.html

answered Jan 13 '11 at 17:26

Harwood

26
1

It looks promising and would make it much easier than my previous plan. – Stebi Jan 17 '11 at 08:46
1

Keep in mind that obfuscation is just that - obfuscation, not encryption. – Scrivener Jan 19 '11 at 17:06
Actually, that one says it compiles it into bytecode format - not being a ruby user, I can't give that one the sniff test. – Harwood Jan 20 '11 at 16:54

Execute encrypted files but don't let anybody read them

2 Answers2