Hi, I wonder if sftp-server could encrypt files before writing to disc. This would make sshd a poor man's alternative for an encrypting filesystem on a server. How to get the crypto key from a client to be used by sftp-server? Upload the key to a /well/defined/key.pem virtual location? Or can you access the ssh client certificate from sftp-server? Can sftp-server call a filter? Or would one write a sftp-server replacement? Juergen
Why not just encrypt the files before you upload them? On Thu, Sep 13, 2018, 08:20 J?rgen Weber <juergen at jwi.de> wrote:> Hi, > > I wonder if sftp-server could encrypt files before writing to disc. This > would make sshd a poor man's alternative for an encrypting filesystem on a > server. > > How to get the crypto key from a client to be used by sftp-server? Upload > the key to a /well/defined/key.pem virtual location? Or can you access the > ssh client certificate from sftp-server? > > Can sftp-server call a filter? > Or would one write a sftp-server replacement? > > Juergen > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
usability. if the server encrypts no need for any special client software on any of your Linux/Win/Android gadges. Juergen Peter Moody <mindrot at hda3.com> schrieb am Do., 13. Sep. 2018, 17:46:> Why not just encrypt the files before you upload them? > > On Thu, Sep 13, 2018, 08:20 J?rgen Weber <juergen at jwi.de> wrote: > >> Hi, >> >> I wonder if sftp-server could encrypt files before writing to disc. This >> would make sshd a poor man's alternative for an encrypting filesystem on a >> server. >> >> How to get the crypto key from a client to be used by sftp-server? Upload >> the key to a /well/defined/key.pem virtual location? Or can you access the >> ssh client certificate from sftp-server? >> >> Can sftp-server call a filter? >> Or would one write a sftp-server replacement? >> >> Juergen >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> >
J?rgen Weber wrote:> I wonder if sftp-server could encrypt files before writing to disc. > This would make sshd a poor man's alternative for an encrypting > filesystem on a server.What does the poor man want to gain with this encryption?> How to get the crypto key from a client to be used by sftp-server? > Upload the key to a /well/defined/key.pem virtual location?That can be implemented, but I don't know that it's a good idea. If the poor man controls the server to implement something like that, then the poor man can probably also just enable full disk crypto.> Or can you access the ssh client certificate from sftp-server?SSH clients don't always use a certificate, nor always a key.> Can sftp-server call a filter?No, but you can post-process uploaded files as the filesystem changes.> Or would one write a sftp-server replacement?You can, but the poor man needs root access to deploy that, and if he is root then he's probably better off with full disk crypto. //Peter
Dear Peter, dear list, An interesting scenario is when the user stores encrypted files on a server without the server admin and other users having access to the files. This could be implemented on the client side by encrypting the files before sending to the server and decrypting it while receiving - and this could be done by the SSH client. I would like that feature - very much. It would make "automagic" possible - storing encrypted files with autofs for transparent encrypted network file storage. Sounds really awesome. It would be nice if the server would tell the client which key the client used to encode the files - this could be implemented many ways, one approach is to write the public key / fingerprint to the beginning of the file before the actual content or to have a meta file next to the actual file. I see less practical use with password authentication, but a timestamp or the first two characters of the password as the meta would also help the forgetful persons like me. I would really like SFTP/SSHFS take over other network file storage protocols. This could be a killer feature to achieve that. Best wishes: Elmar
there are cheap virtual linux root servers that don't support encrypted filesystems, even if you have root, as even root cannot change the kernel or modules. And most sftp clients will allow you to set the server port, so no need to run as root at all. Why not run an encrypting sftp server at port 2222 as user demon? Just a secure box at yourserver:2222 you drop your files into. No infra structure needed except a port and some directory. And, to create an incremental backup of a bunch of encrypted files is way easier than a backup of an encrypted file system. Juergen Am Do., 13. Sep. 2018 um 21:17 Uhr schrieb Peter Stuge <peter at stuge.se>:> > J?rgen Weber wrote: > > I wonder if sftp-server could encrypt files before writing to disc. > > This would make sshd a poor man's alternative for an encrypting > > filesystem on a server. > > What does the poor man want to gain with this encryption? > > > > How to get the crypto key from a client to be used by sftp-server? > > Upload the key to a /well/defined/key.pem virtual location? > > That can be implemented, but I don't know that it's a good idea. If > the poor man controls the server to implement something like that, then > the poor man can probably also just enable full disk crypto. > > > > Or can you access the ssh client certificate from sftp-server? > > SSH clients don't always use a certificate, nor always a key. > > > > Can sftp-server call a filter? > > No, but you can post-process uploaded files as the filesystem changes. > > > Or would one write a sftp-server replacement? > > You can, but the poor man needs root access to deploy that, and if he > is root then he's probably better off with full disk crypto. > > > //Peter > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev