{"id":27354475,"url":"https://github.com/harrykodden/encrypted-mounting","last_synced_at":"2025-04-12T21:54:22.124Z","repository":{"id":39592803,"uuid":"436565749","full_name":"HarryKodden/encrypted-mounting","owner":"HarryKodden","description":"This repository is the working environment for developing a Proof of Concept for mounting an Encrypted Volume available to a group of Researchers","archived":false,"fork":false,"pushed_at":"2024-03-04T13:56:09.000Z","size":404,"stargazers_count":1,"open_issues_count":0,"forks_count":2,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-03-04T15:16:53.977Z","etag":null,"topics":["encryption","mounting","webdav"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/HarryKodden.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-12-09T10:00:13.000Z","updated_at":"2024-04-14T23:26:53.029Z","dependencies_parsed_at":"2024-03-04T15:21:39.469Z","dependency_job_id":null,"html_url":"https://github.com/HarryKodden/encrypted-mounting","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HarryKodden%2Fencrypted-mounting","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HarryKodden%2Fencrypted-mounting/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HarryKodden%2Fencrypted-mounting/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HarryKodden%2Fencrypted-mounting/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/HarryKodden","download_url":"https://codeload.github.com/HarryKodden/encrypted-mounting/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248637801,"owners_count":21137538,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["encryption","mounting","webdav"],"created_at":"2025-04-12T21:54:21.272Z","updated_at":"2025-04-12T21:54:22.114Z","avatar_url":"https://github.com/HarryKodden.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Encrypted Mounting\n\nThe objective of this Proof of Concept is to allow a group of Researcher work together sharing files that can be encrypted automatically.\nThe collaboration of the team is managed by SRAM. Only active members of SRAM can mount the ecrypted volume.\n\nFunctional the mount process will look like this:\n\n```plantuml\n!include assets/overall.iuml\n```\n\n## Design\n\n![Alt text](assets/design.png \"Design\")\n\n## Identified solutions / usecases\n\n- Safely collaborate and store privacy sensitive documents on research cloud.\n- Create a safe portal for applications to submit sensitive data that can only be investigated by active members.\n- Manage user access by not connecting the encrypted folder to a specific person.\n\n## rClone + webDav\n\n### Registering a Storage backend\n\n```plantuml\n!include assets/rclone_co_admin.iuml\n```\n\n(1) The used encryption key is stored in Vault and used for:\n\n- (re-)generate rclone config\n- emergency decryption option of encrypted data\n\nAfter these steps the generated encryption key is not stored otherwise. The rclone config only holds a hashed value of that encryption key.\n\n(2) The generated rclone config consist of 2 remote definitions:\n\n- The first section specifies how to access the remote storage based on properties given during registration (and testing the connection)\n- And on top of that an additional remote section that is using the encryption key (1) for an encrypted mountpoint. Only the encrypted mountoint is used in (3)\n\nexample:\n\n```rclone\n[mydata]\ntype = sftp\nhost = example.stackstorage.com\nuser = user@example.com\nport = 22\npass = \u003c...\u003e\nkey_file_pass = \u003c...\u003e\n\n[encrypted]\ntype = crypt\nremote = remote:mydata\npassword = \u003c hash of encryption key \u003e\n```\n\n(3) The Apache config added to the portal offers a webDav url to access the rclone encrypted remote backend\n\n### Using a storage backed (Read/Write encrypted only)\n\n```plantuml\n!include assets/rclone_co_member.iuml\n```\n\n(1) This WebDav endpoint will be a HTTPS secured endpoint. The webDav storage available to the user will be the 'encrypted rclone remote backend' exclusively.\n\nUser access is granted via Basic Authentication (combination userid/password). The User has to retrieve his personal credentials via the separate flow accessing his personal wallet. (\\*)\nHis wallet is only accessible after succesfull SRAM authentication.\n\nUsing credentials like userid/password allows mounting the webDav endpoint via standard Mac- and Windows Finders.\n\n(\\*) Please note: The credentials used by the end-user to authenticate to the webDav is independent of the encryption key used to encrypt/decrypt the data on the storage bac\n\n# Proof Of Concept\n\nDuring a [POC](./POC.md) excercise the functionality is demonstrated.\n\n# Setting up encrypted mounting on a Research Cloud VM.\n\n## Setting up your domain\n\nmake sure you have your own domain name pointed at the ip-address of your machine and also a wildcard DNS record for that domain. So register a fixed ip-address first in research cloud and then register the domain to resolve to that ip-address:\n\n```bash\nyour-domain.com    --\u003e IP-address\n```\n\nYou need to set the registered domain name and ansible_user in `./ansible/inventory/workspace`, For easy use, register your Research Cloud user name at ansible_user. This user is used for deployment and allready had the appropriate ssh keys.\n\n```shell\n[workspace]\nyour-domain.com\n\n[workspace:vars]\nansible_python_interpreter=/usr/bin/python3\nansible_user=rinsrutgers\n```\n\n## Settting the environment variables\n\nMove the example environment file to the appropriate place and rename:\n\n```shell\nmv ./ansible/.env.sample ./ansible/.env\n```\n\nFill in the following configuration:\n\n```\n# SRAM URL.\nSRAM_URL=https://sram.surf.nl\n\n# OIDC connection with SRAM for Administrator authentication\nSRAM_OIDC_BASE_URL=https://proxy.sram.surf.nl\nSRAM_OIDC_CLIENT_ID=\u003c SRAM Registered client id \u003e\nSRAM_OIDC_CLIENT_SECRET=\u003c Secret key\u003e\n\n# OIDC Authenticated users will need a claim \"eduperson_entitlement\" that contains the value of the SRAM_ADMIN_ACCESS_GROUP\n# in order to be authorized to control the admin dashboard.\nSRAM_ADMIN_ACCESS_GROUP=urn:mace:surf.nl:sram:group \u003cspecify as the group as detailed as you wish...\u003e\n\n# This is the Service API key that is used to validate authorized users of this service.\n# SRAM users need to be part of a SRAM Collaboration connected to this service\n# AND the users has to have created to SRAM Token for that same service.\nSRAM_SERVICE_BEARER_TOKEN=\u003c token from SRAM collaboration, generate token within sram.\u003e\n\n# This will be the administrator password to access the Traefik dashboard, eg \"https://proxy.\u003cdomain\u003e/dashboard/\nPROXY_ADMIN_PASSWORD=\u003c Put your secret here !\u003e\n\n# Are there specific values for 'eudperson_entitlements' that you would like to apply, put them here.\nPAM_VALIDATE_USERS_ENTITLEMENT=\u003centitlment1,entitlement2,...\u003e OR \u003c*\u003e OR\n```\n\n## Deployment\n\nDeploy encrypted mounting on Research Cloud from your own machine, make sure you are in the `./ansible` directory:\n\n```shell\ncd ansible\nexport $(cat .env | xargs)\nansible-playbook -i inventory/workspace playbook.yml\n```\n\nTo deploy on AWS you can use the Terraform scripts.\n\n```shell\ncd terraform\nexport $(cat .env | xargs)\nterraform init\nterraform plan\nterraform apply\n```\n\n## After deployment the following endpoints are available:\n\n\u003e ## https://your-domain.com\n\n\u003e This is the home page of the service.\n\u003e Links are presented to help you find your way.\n\u003e The Admin link is for the Service Administrator to configure the mountpoints.\n\u003e All the mountpoints that are configured, are listed as well so that users can navigate to these mountpoints And/Or copy the mountpoint URL to their OSX Finder (Cmd-K) or Windows Explorer.\n\u003e\n\u003e Admin Users need to authenticate with SRAM and need to be member of the SRAM Group that is specificied during deployment with key **SRAM_ADMIN_ACCESS_GROUP**\n\u003e\n\u003e Uers can oly authenticate with the WebDAV mountpoints using basic authentication, where:\n\u003e\n\u003e - Username is your SRAM Username\n\u003e - Password is your SRAM Token that you have registered in SRAM for this service\n\u003e\n\u003e ## https://your-domain.com/ui\n\n\u003e This is the Vault portal page.\n\u003e Normally you do not need to operate Vault.\n\u003e In production it is adviced not even activate the vault UI at all.\n\u003e If you do need to authenticate, consult the administrator of this installation. He holds the key material in his secure /root folder.x\n\u003e\n\u003e ## https://your-domain.com/dashboard/\n\u003e\n\u003e - Your username is admin\n\u003e - Your password is the one you choose during step X\n\u003e\n\u003e This interface brings you to the proxy portal where you can inspect how all traffic is routed.\n\n\u003e ## https://your-domain.com/admin\n\u003e\n\u003e - Your username is your SRAM username, you can find it in your profile.\n\u003e - Your login will be handled bij SRAM itself.\n\u003e\n\u003e This interface brings you to the Rclone admin panel. From here you will set up your encrypted folders by attaching external cloud storage. Rclone supports over 40 cloud storage providers, so you are not limited to Research Cloud but you could also mount google drive or onedrive.\n\u003e Every `encrypted mount` is configured by a config file, this is either created by a step by step interactive way (on this endpoint) or plain text (the next endpoint). The name of this configuration block will also be used on the webdav mount later on.\n\n\u003e ## https://your-domain.com/admin/api/doc\n\u003e\n\u003e This endpoint brings you to a swagger documentation page where you can test out the API of the systen. This is particculary useful to quickly download or test your configuration files.\n\u003e\n\u003e - Authentication is handled in the same way as the admin panel.\n\n\u003e ## https://your-domain.com/webdav/your-rclone-config-name\n\u003e\n\u003e - Your username is your SRAM username, you can find it in your profile.\n\u003e - Your password is a token from SRAM. To get it, log in to SRAM and go to _Tokens_ and generate one, copy it and carefully store it in a password manager, you will not be able to see it again.\n\u003e\n\u003e This endpoint is used to access your encrypted mounting point trough the webDav protocol, by doing so it is accessible via standard Mac- and Windows Finders with a userid/password.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fharrykodden%2Fencrypted-mounting","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fharrykodden%2Fencrypted-mounting","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fharrykodden%2Fencrypted-mounting/lists"}