{"id":13510230,"url":"https://github.com/spapas/etsd","last_synced_at":"2025-08-11T22:32:22.739Z","repository":{"id":39272206,"uuid":"390269997","full_name":"spapas/etsd","owner":"spapas","description":"Transmit sensitive data encrypted across your organization!","archived":false,"fork":false,"pushed_at":"2024-07-09T06:33:11.000Z","size":8986,"stargazers_count":48,"open_issues_count":2,"forks_count":2,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-12-01T08:57:18.507Z","etag":null,"topics":["crypto","encryption","pgp","security"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/spapas.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-07-28T08:15:42.000Z","updated_at":"2024-07-09T06:33:15.000Z","dependencies_parsed_at":"2024-01-13T19:25:52.808Z","dependency_job_id":"3fdf5143-1cd8-4745-8f3e-a5d55839b563","html_url":"https://github.com/spapas/etsd","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spapas%2Fetsd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spapas%2Fetsd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spapas%2Fetsd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spapas%2Fetsd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/spapas","download_url":"https://codeload.github.com/spapas/etsd/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":229614602,"owners_count":18099068,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["crypto","encryption","pgp","security"],"created_at":"2024-08-01T02:01:29.929Z","updated_at":"2024-12-13T20:54:46.375Z","avatar_url":"https://github.com/spapas.png","language":"JavaScript","funding_links":[],"categories":["JavaScript","security"],"sub_categories":[],"readme":"etsd - Electronic Transmission of Sensitive Data\n================================================\n\nTransmit sensitive data throughout your organization using PGP (with the help of the openpgp.js library)\n\n# Rationale\n\nSome organizations need to transmit sensitive data between their departments/users. Such data may be personal details, \nwork evaluation or even medical conditions. It is\nimportant for such data to be delivered and be\nseen only by its recipient and not by anybody\nelse.\n\nOne true and tested way for such data transmission\nis to use GPG. The data will be encrypted with\nthe recipient's public key and only the recipient,\nusing his private key will be able to decrypt and\nread it.\n\nPGP is an old protocol that works fine with email\nand even after all these years if it considered\nby security experts as extremely secure. However\nit is heavily criticized because it is difficult\nto use properly leading to security breaches\ndue to usage errors. Also, in order to properly\nuse it and avoid mistakes the PGP user must \nunderstand some things about how the public \nkey cryptography is working. This is not an easy\ntask for the non technical user.\n\nThis web application wants to build on PGP's\nsecurity but also offer a simple enough\nwork flow to minimize errors and security\nbreaches even for less security aware users.\n\n# How it works\n\nThe app contains a bunch of authorities each one with a\nbunch of users. Each authority that wants to\nreceive data will need to generate a Private/Public key Pair \nwhich will then need to get the administration\nto approve using some OOB communication. Only the\npublic key of the pair will be saved to the server. The private\nkey and its encryption passphrase are saved only client side.\n\nAfter the public key is approved the authority\ncan receive data. The data is encrypted with\nits public key using\nOpenPGP.js *on the client side* and only the cipher\n(not the original data) is saved to the server. Since the original data\nnever reaches the server we can be sure that\neven if the server was compromised somehow\nno sensitive data would be breached.\n\nWhen a user of the receiving authority logs in\nhe can choose to submit the authority private key so\nit can be used to decrypt the authority data.\n\n# Risks\n\nIf your server is compromised, the client-side (JS) code *could* be changed \nso it transmits the private key of the users over the network when they unlock it. \nThis way the malicious user will get access to the data of all the users that\nunlock their key while the backdoor is undetected.\n\nThis can be resolved by using self-contained binaries that interact with the service\nand have their signature published.\n\n\n# Installation\n\nThis is a rather simple Django application. It has *no* external dependencies\nbeyond Django and a database. You can even use sqlite3 if you wanted but I'd \nrecommend something like Postgresql. All other dependencies are django\npackages that can be installed through the requirements/*.txt (there are \ndifferent files for dev/uat/prod).\n\nHere's how I would install this for a dev environment:\n\n```\nE:\\\u003emkdir etsd\nE:\\\u003ecd etsd\nE:\\etsd\u003epy -3 -m venv venv\nE:\\etsd\u003evenv\\Scripts\\activate\n(venv) E:\\etsd\u003egit clone https://github.com/spapas/etsd\n(venv) E:\\etsd\\etsd\u003epip install c:\\Users\\serafeim\\Downloads\\python_ldap-3.3.1-cp38-cp38-win32.whl\n    Processing c:\\users\\serafeim\\downloads\\python_ldap-3.3.1-cp38-cp38-win32.whl\n    [...]\n(venv) E:\\etsd\\etsd\u003epip install -r requirements\\dev.txt\n    Collecting crispy-bootstrap5==0.4 (from -r requirements\\base.txt (line 1))\n    [...]\nset DJANGO_SETTINGS_MODULE=etsd.settings.dev\ncopy local.py.template local.py\n    [Edit the local.py file and ldap_conf.py with your preferences]\nE:\\etsd\\etsd\u003ecd etsd\\settings\ndj migrate\ndj createsuperuser\n    [...]\nrsp\n```\n\nNow you can visit http://127.0.0.1:8000 and login with the superuser credentials.\n\nIf you see any errors during the requirements installation make sure that you are\nusing the latest version of pip.\n\nTo install it for a production environment you can follow the instructions for \nany python/django web app.\n\n# Branding\n\nYou can override the templates used in this project by adding the corresponding files in the `etsd/branding/template` folder. I've added a project that can be cloned in the `etsd` folder (by removing the existing `branding` folder) to keep my changes under version control.\n\n# User scenarios\n\nLet's see how this works in practice. *Please notice that all the following screens have much helpful text\nfor the end user that should guide him properly in his actions. I am not including it here to keep the \nimages a little smaller*.\n\nSuppose you have two deparments, HR and Marketing. Marketing would like to send some encrypted data to HR. \n\nFor starters, the HR must generate his key pair in order to be able to receive data:\n\n## To create a new key pair and submit the public key for approval:\n\n**The home screen after a user has logged in is this:**\n\n![01 home](https://user-images.githubusercontent.com/3911074/130051873-13d41917-9c17-44d4-aba2-580eb9ece79b.png)\n\n\n**He picks Public Key list:**\n![02 key_list](https://user-images.githubusercontent.com/3911074/130051943-751ff648-ea7a-4a8f-83f8-5952bdcf1a57.png)\n\n\n**And then Generate Key pair:**\n![03 generate_key_pair](https://user-images.githubusercontent.com/3911074/130051985-b84513c2-74ca-416b-b557-6f9cb61f04ef.png)\n\n\n**He enters his keyphrase, downloads the private key and presses submit to save the public key to the server. Only the \npublic key will be saved to the server. The keyphrase is needed to encrypt the generated private key that he must \nthen download to his computer:**\n![03a key_info](https://user-images.githubusercontent.com/3911074/130052046-afe11989-d24a-4ecb-b191-b2a3acbf3c16.png)\n\n\n**He loads the private key to his session by using the Load Private Key option:**\n![04 load_private_key](https://user-images.githubusercontent.com/3911074/130052180-d7485903-421d-4ecd-8273-89b551a191ba.png)\n\n\n**After submitting the private key file and passphrase both are saved to his browser (using local storage, they are not submitted to the server):**\n![04a key_loaded](https://user-images.githubusercontent.com/3911074/130052223-48553e87-be5f-4dbc-92dd-ffb4002e0f69.png)\n\n\n**Now he can submit his key for approval to the administrators along with a proper document (the public key that will be submitted is validated with the loaded private key before sending it to make sure that the user has not made some mistake):**\n![05_key_approval](https://user-images.githubusercontent.com/3911074/130052315-244669eb-a788-4f2c-a1cc-97fa2aceab46.png)\n\n## Sending the data:\nThe public key must be approved by an administrator before it can be used to encrypt data.\n\n**After the public key is approved, the marketing user can send his data. First he selects the Messages list:**\n![06_msg_list](https://user-images.githubusercontent.com/3911074/130052785-d0ea03d3-7783-4c61-930d-a5c337a1ed5a.png)\n\n**And starts a new Message where he selects the HR department as a recipient:**\n![07_new_msg](https://user-images.githubusercontent.com/3911074/130052991-cd9536e9-2c55-481b-ac45-87d75be1e118.png)\n\n**The new message is created as a draft (which can be deleted is something was wrong):**\n![08_message_detail](https://user-images.githubusercontent.com/3911074/130053408-a5410113-1677-4fed-8352-decf140da861.png)\n\n**In order to send the message, the marketing user must add some data to it. The user just selects the files one by one.\nEach file is encrypted client-side and only the cipher is uploaded to the server. If there are mutliple receivers the \nmessage will be encrypted mutliple times, once for each receiver's public key.**\n![09_message_add_data](https://user-images.githubusercontent.com/3911074/130053561-915857d6-6705-4131-8a33-5d04b6b56b00.png)\n\n**After the user finished uploading the data he can send the message:**\n![10_message_send](https://user-images.githubusercontent.com/3911074/130053802-9eae3b83-b39f-49d8-89b4-0620bb1ceae4.png)\n\n## Retrieving the message data:\n\nNow the HR user will receive an email informing him that he just got a new encrypted message. \n\n**He logs in to the app and sees the message in his message list:**\n![11_message_list2](https://user-images.githubusercontent.com/3911074/130054028-05786d6c-6b32-433b-b395-db21e9712073.png)\n\n**He clicks the message id to see its data but he is not able because he has not loaded his private key:**\n![12_message_detail_no_pk](https://user-images.githubusercontent.com/3911074/130054160-85191c44-c48a-4537-9993-a482cd921585.png)\n\n**He then loads his private key to his browser following the same procedure as before and now he is able to actually decrypt the data.\nOnce again, the data is downloaded as a cipher and it is decrypted in his computer using his private key locally**:\n![13_message_detail_pk](https://user-images.githubusercontent.com/3911074/130054323-c8711bfc-ded2-4672-ad32-d8e285d25f8f.png)\n\n**After he has downloaded  and decrypted  all the message data the message status is changed to Read and he can archive it:**\n![14_message_detail_read](https://user-images.githubusercontent.com/3911074/130054470-34e82d8b-6e20-46fc-8739-911b32428547.png)\n\nHe could also delete the cipher data from the server completely if he choses. The message will not be deleted but the data that was \nencrypted with his public key will be completely removed.\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspapas%2Fetsd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspapas%2Fetsd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspapas%2Fetsd/lists"}