Seafile end to end encryption for encrypted libraries (v3)

May 11, 2014 Leave a comment

Rephrased from https://seacloud.cc/group/3/wiki/faq-for-security-features/ and https://github.com/haiwen/seafile/wiki/Seafile-server-components-overview

FYI, encryption used are all symmetric

Master Key
When you create an encrypted library, a random file key (master key) is generated. This master key is the main key that is used to encrypt and decrypt the files and this key has NOTHING to do with your password, and is not stored anywhere in the system. As long as you can get this key, your access to the data is confirmed! There is also no known way to change this easily.

Enc Master Key
The password you entered is used to encrypt the master key (enc master key) , this data is stored in the server to send out to the clients in order to derive the actual file key by decrypting with the password.
I.e master key enc master key

Web Browsers (8000, 8082)
For browsers and all access thru http protocols (inc mobile devices) the enc master key and encrypted data is sent to the client/server and the client/server will do the neccessary decryption to get the file key which is then used to decrypt the encrypted data to get the actual file. For mobile apps, it seems the file key is also stored in the app data.

cc net (10001) and seaf daemon (12001)
A magic token is generated from the library id and password and stored on the server. This is used to confirm the password is correct. Once it is confirmed, the master key is stored on the client.

summary
Although no passwords are stored anywhere, this does not really matter since all it does is to decrypt the encrypted master key, what really matters is the file key, which unfortunately seems to be stored on both the client as well as mobile app, quite possibly in an unencrypted format.

So while the sys admin is not able to your files. Should your devices be compromised, the hackers potentially have access to your file key which will unlock the files when they request it from 8082 which does not need any form of authentication.

Categories: Uncategorized

Windows Server Storage Spaces–Auto attach disk

May 8, 2014 Leave a comment

Sometimes when you reformat a server, the volume in the storage spaces is not auto attached.

 

to set it to automatically load use the following powershell

Set-VirtualDisk -FriendlyName Mirror -IsManualAttach 0

Categories: Windows Server

Enabling HTTPS for Seafile (Windows)

May 7, 2014 35 comments

EDIT: Video tutorial can be found at http://www.youtube.com/watch?v=HRNCpR_mSSs&feature=youtu.be

While there has been documentation on how to enable HTTPS for seafile in *nix environment. There is no documentation for doing this on windows.   Looking at the nginx implementation, it is essentially doing a reverse proxy. This is something that IIS+URL Rewrite can easily achieve!   Before we proceed, take a look and understand the reverse proxy requirements found at https://github.com/haiwen/seafile/wiki/Enable-Https-on-Seafile-web-with-nginx   I will not go into steps on how to generate your own SSL cert, but rather focus on how to use IIS to reverse proxy the necessary ports.   Requirements

  1. Standard implementation of seafile ONLY
    1. ie seafile listens on the following port: 8000, 8082, 10001, 12001
  2. HTTP requests to port 80 will be redirected to HTTPS calls on port 443
  3. HTTPS requests on port 443 will be treated as follows
    1. if it starts with seafhttp, send it to seafile port 8082
    2. otherwise send it to seafile port 8000

Step by Step Guide

  1. Install seafile on the server
  2. Install IIS with default options
  3. Run IIS Manager image
  4. Install Web Platform Installer (WebPI)
  5. Inside WebPI, install URLRewrite
  6. Create 2 websites, pointing to separate physical folders. Ensure the https website is associated with a valid SSL certificate image
  7. Edit the web.config for the HTTP site

    <?xml version=”1.0″ encoding=”UTF-8″?> <configuration> <system.webServer> <rewrite> <rules> <rule name=”Redirect to HTTPS” stopProcessing=”true”> <match url=”(.*)” /> <action type=”Redirect” url=”https://{HTTP_HOST}/{R:1}” /> </rule> </rules> </rewrite> </system.webServer> </configuration>

  8. Edit the web.config for the HTTPS site

    <configuration> <system.webServer> <rewrite> <rules> <rule name=”seafhttp” stopProcessing=”true”> <match url=”seafhttp/(.*)” /> <action type=”Rewrite” url=”http://127.0.0.1:8082/{R:1}” appendQueryString=”false” logRewrittenUrl=”true” /> </rule> <rule name=”Reverse Proxy” patternSyntax=”ECMAScript” stopProcessing=”true”> <match url=”(.*)” /> <!– Redirect all requests to non-HTTPS site. –> <action type=”Rewrite” url=”http://localhost:8000/{R:1}” logRewrittenUrl=”true” /> </rule> </rules> </rewrite> </system.webServer> </configuration>

  9. Enjoy a secure version of seafile :)
Categories: General, Hacking, IIS

Disabling/Removing IIS Shared Configuration

March 1, 2014 Leave a comment

 

If you are using IIS Shared Configuration and changed the password for the account accessing the file path, you might encounter the following error

The World Wide Web Publishing Service service depends on the Windows Process Activation Service service which failed to start because of the following error:
The user name or password is incorrect.

The Windows Process Activation Service service terminated with the following error:
The user name or password is incorrect.

Windows Process Activation Service (WAS) is stopping because it encountered an error. The data field contains the error number.

 

Internet Information Services (IIS) Manager will also start with a weird error message and then prompts you to login

 

All these points to an inability to access the shared configuration

 

How to resolve?

 

  1. Stop IIS (iisreset /stop)
  2. Goto C:\Windows\System32\inetsrv\config
    image
  3. Open redirection.config inside notepad
    image
  4. Change the <configurationRedirection> part to <configurationRedirection />
  5. Start IIS again (iisreset)
Categories: IIS, Windows Server

Windows 8.x–Disable Hibernation and Sleep

January 17, 2014 Leave a comment

To turn off either one, first start an administrator mode command prompt

and then type the required commands

 

#turn off hibernate
powercfg /H off

#disable sleep
powercfg -change -standby-timeout-ac 0

 

image

Categories: General

Commonly used AppFabric cmdlets

January 7, 2014 Leave a comment

Note, all cmdlets must run in administrator mode powershell preferable from the Caching Administration shortcut, else in any normal powershell, run

import-module DistributedCacheAdministration

image

 

An easy way to get all the commands available in the module is to run the following powershell

Get-Command -module DistributedCacheAdministration | Sort-Object > C:\AppFabric.txt

 

Get-AFCacheHostStatus, gets the status of the cache hosts in the cluster

image

 

Get-CacheStatistics [cachename], gets statistics about the cache

image

Get-CacheClusterHealth, gets the health of the Cache Cluster

image

 

Get-CacheHostConfig, gets the host configuration

image

 

Get-CacheConfig [cachename], gets the cache configuration

image

image

 

Setting

Description

CacheName

The name of the cache.

TimeToLive

The default time that items reside in the cache before expiring.

CacheType

The type of cache. This is always Partitioned.

Secondaries

A value of 1 indicates that the cache uses the high availability feature.

IsExpirable

Indicates whether objects in the cache can expire.

EvictionType

Specifies an eviction type of Least-Recently-Used (LRU) or None.

NotificationsEnabled

Indicates whether notifications are enabled for this cache.

Taken from http://msdn.microsoft.com/en-us/library/ff921029(v=azure.10).aspx

Some other useful URLs

http://msdn.microsoft.com/en-us/library/ff921010(v=azure.10).aspx

http://msdn.microsoft.com/en-us/library/ff921023(v=azure.10).aspx

Categories: AppFabric

AppFabric 1.1–Auto Start on computer start up

January 7, 2014 2 comments

One of the things about AppFabric is that you cannot run it directly via services

 

image

NEVER and I mean NEVER set this to automatic, you will pay dearly for this

 

The recommended way is to run the Caching Administration Powershell shortcut

image

and then run Start-CacheHost

 

HOWEVER, there is a way for AppFabric to automatically start upon computer start up, what you need to do is to create the following powershell script and save it somewhere, e.g c:\appfabric.ps1

 

import-module DistributedCacheAdministration

$computer = gc env:computername

use-cachecluster

start-cachehost -hostname $computer -cacheport 22233

 

Then add a scheduled task with the following settings

General

image

 

Triggers

image

Actions

image

Program: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Arguments: C:\appfabric.ps1

 

Reboot the computer and watch AppFabric automagically startup on boot, enjoy!

Categories: AppFabric
Follow

Get every new post delivered to your Inbox.