Home > Uncategorized > Seafile end to end encryption for encrypted libraries (v3)

Seafile end to end encryption for encrypted libraries (v3)

Rephrased from https://seacloud.cc/group/3/wiki/faq-for-security-features/ and https://github.com/haiwen/seafile/wiki/Seafile-server-components-overview

FYI, encryption used are all symmetric

Master Key
When you create an encrypted library, a random file key (master key) is generated. This master key is the main key that is used to encrypt and decrypt the files and this key has NOTHING to do with your password, and is not stored anywhere in the system. As long as you can get this key, your access to the data is confirmed! There is also no known way to change this easily.

Enc Master Key
The password you entered is used to encrypt the master key (enc master key) , this data is stored in the server to send out to the clients in order to derive the actual file key by decrypting with the password.
I.e master key enc master key

Web Browsers (8000, 8082)
For browsers and all access thru http protocols (inc mobile devices) the enc master key and encrypted data is sent to the client/server and the client/server will do the neccessary decryption to get the file key which is then used to decrypt the encrypted data to get the actual file. For mobile apps, it seems the file key is also stored in the app data.

cc net (10001) and seaf daemon (12001)
A magic token is generated from the library id and password and stored on the server. This is used to confirm the password is correct. Once it is confirmed, the master key is stored on the client.

Although no passwords are stored anywhere, this does not really matter since all it does is to decrypt the encrypted master key, what really matters is the file key, which unfortunately seems to be stored on both the client as well as mobile app, quite possibly in an unencrypted format.

So while the sys admin is not able to your files. Should your devices be compromised, the hackers potentially have access to your file key which will unlock the files when they request it from 8082 which does not need any form of authentication.

Categories: Uncategorized
  1. December 23, 2015 at 5:07 pm

    Are there any news about the new Seafile’s Security? Your post was really helpful to do some considerations about Seafile… But now I’m asking: Have these guys improved their security issues?

    • December 24, 2015 at 12:06 am

      Hi Andrea,

      Not sure what happened to it, Seafile has had quite a fair bit of change recently, moving all towards HTTPS traffic which should help alleviate some of the risk.

      They are very focused on security, so i’m sure something has been done, however i’ve not had the time to look into it

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: