Archive

Archive for May, 2014

Seafile end to end encryption for encrypted libraries (v3)

May 11, 2014 2 comments

Rephrased from https://seacloud.cc/group/3/wiki/faq-for-security-features/ and https://github.com/haiwen/seafile/wiki/Seafile-server-components-overview

FYI, encryption used are all symmetric

Master Key
When you create an encrypted library, a random file key (master key) is generated. This master key is the main key that is used to encrypt and decrypt the files and this key has NOTHING to do with your password, and is not stored anywhere in the system. As long as you can get this key, your access to the data is confirmed! There is also no known way to change this easily.

Enc Master Key
The password you entered is used to encrypt the master key (enc master key) , this data is stored in the server to send out to the clients in order to derive the actual file key by decrypting with the password.
I.e master key enc master key

Web Browsers (8000, 8082)
For browsers and all access thru http protocols (inc mobile devices) the enc master key and encrypted data is sent to the client/server and the client/server will do the neccessary decryption to get the file key which is then used to decrypt the encrypted data to get the actual file. For mobile apps, it seems the file key is also stored in the app data.

cc net (10001) and seaf daemon (12001)
A magic token is generated from the library id and password and stored on the server. This is used to confirm the password is correct. Once it is confirmed, the master key is stored on the client.

summary
Although no passwords are stored anywhere, this does not really matter since all it does is to decrypt the encrypted master key, what really matters is the file key, which unfortunately seems to be stored on both the client as well as mobile app, quite possibly in an unencrypted format.

So while the sys admin is not able to your files. Should your devices be compromised, the hackers potentially have access to your file key which will unlock the files when they request it from 8082 which does not need any form of authentication.

Categories: Uncategorized

Windows Server Storage Spaces–Auto attach disk

May 8, 2014 Leave a comment

Sometimes when you reformat a server, the volume in the storage spaces is not auto attached.

 

to set it to automatically load use the following powershell

Set-VirtualDisk -FriendlyName Mirror -IsManualAttach 0

Categories: Windows Server

Enabling HTTPS for Seafile (Windows)

May 7, 2014 71 comments

EDIT: Video tutorial can be found at http://www.youtube.com/watch?v=HRNCpR_mSSs&feature=youtu.be

While there has been documentation on how to enable HTTPS for seafile in *nix environment. There is no documentation for doing this on windows.   Looking at the nginx implementation, it is essentially doing a reverse proxy. This is something that IIS+URL Rewrite can easily achieve!   Before we proceed, take a look and understand the reverse proxy requirements found at https://github.com/haiwen/seafile/wiki/Enable-Https-on-Seafile-web-with-nginx   I will not go into steps on how to generate your own SSL cert, but rather focus on how to use IIS to reverse proxy the necessary ports.   Requirements

  1. Standard implementation of seafile ONLY
    1. ie seafile listens on the following port: 8000, 8082, 10001, 12001
  2. HTTP requests to port 80 will be redirected to HTTPS calls on port 443
  3. HTTPS requests on port 443 will be treated as follows
    1. if it starts with seafhttp, send it to seafile port 8082
    2. otherwise send it to seafile port 8000

Step by Step Guide

  1. Install seafile on the server
  2. Install IIS with default options
  3. Run IIS Manager image
  4. Install Web Platform Installer (WebPI)
  5. Inside WebPI, install URLRewrite
  6. Create 2 websites, pointing to separate physical folders. Ensure the https website is associated with a valid SSL certificate image
  7. Edit the web.config for the HTTP site

    <?xml version=”1.0″ encoding=”UTF-8″?> <configuration> <system.webServer> <rewrite> <rules> <rule name=”Redirect to HTTPS” stopProcessing=”true”> <match url=”(.*)” /> <action type=”Redirect” url=”https://{HTTP_HOST}/{R:1}” /> </rule> </rules> </rewrite> </system.webServer> </configuration>

  8. Edit the web.config for the HTTPS site

    <configuration> <system.webServer> <rewrite> <rules> <rule name=”seafhttp” stopProcessing=”true”> <match url=”seafhttp/(.*)” /> <action type=”Rewrite” url=”http://127.0.0.1:8082/{R:1}” appendQueryString=”false” logRewrittenUrl=”true” /> </rule> <rule name=”Reverse Proxy” patternSyntax=”ECMAScript” stopProcessing=”true”> <match url=”(.*)” /> <!– Redirect all requests to non-HTTPS site. –> <action type=”Rewrite” url=”http://localhost:8000/{R:1}” logRewrittenUrl=”true” /> </rule> </rules> </rewrite> </system.webServer> </configuration>

  9. Enjoy a secure version of seafile 🙂
Categories: General, Hacking, IIS