Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/stef/stash

a private dropbox
https://github.com/stef/stash

Last synced: about 1 year ago
JSON representation

a private dropbox

Awesome Lists containing this project

README 

          
* stash

stash is a private dropbox.



If you want someone to be able to upload files from their browser

directly onto your computer at home, install stash once, and allow

dedicated access to your friends to share files with you. Maybe your

dad wants to send you the video from the family event, or a colleague

a huge database, stash might be the right thing. If you run stash on a

server on the internet, your uploads are encrypted and only accessible

with your secret PGP key. There's a short time when the file is

unencrypted in memory (but not on disk!) on your server while

uploading, but you can get around that uploading stuff that is already

encrypted.



where's the screenshots? here: [[screenshots/]]



stash should be easy to use for uploaders, while providing the

following attributes:

 - Allow upload of huge files (I know, it's HTTP, still).

 - The only private information retained is the public PGP keys of the

   stash owners. No passwords even. Just make an extra PGP key and

   email for an added anon factor.

 - Uploaded files are automatically encrypted with the stash owners

   key. This can be disabled, if you want to upload data that is

   already encrypted.

 - Stash owners are automatically emailed to the email address listed

   in their public key about new uploads. These emails are also PGP

   encrypted.

 - User authentication is done using [[https://github.com/stef/tlsauth/][tlsauth]]: uploaders do not need a

   cert, new stash owners registering either, but all other parts

   require valid certs.

 - Stash IDs are generated randomly and should be hard to guess, this

   the only protection - tlsauth does not protect these upload forms -

   this is intentional to make it useful for "mom". however you can

   also specify your own human parseable stash ID if needed, tlsauth

   should be mandatory then for uploads as well.

 - Even though stash uses certificates for authentication, the user

   management is very simple and similar to normal user admin

   workflows, the only difference is that users have to import their

   cert into their browser after certification.



* Installation

  If you are of the adventurous type you might want to try out the

  automatic and never-before tested install.sh, which does all -

  except the last two: "import" and "done" - these below

  automagically.  Otherwise you'll be setting up an onion service,

  nginx, a CA and related certificates, importing some of them into

  browsers and also configuring the stash.

** Depends

   tlsauth, nginx

** Setup a tor hidden service

If you don't need a hidden service (why not? - it's nice to go behind

NAT), then you can skip this, but the install script does it anyway.



Create this hidden service in your /etc/tor/torrc file:

#+BEGIN_SRC sh

sudo cat >>/etc/tor/torrc </crl.pem " CA" email1@

    #+END_SRC

*** create a subCA

    ...for the client auth keys

    #+BEGIN_SRC sh

./tlsauth.py subCA createca http:///client-crl.pem " client CA" email@ CA

    #+END_SRC

*** create https server certificate

    #+BEGIN_SRC sh

./tlsauth.py CA newcsr  root@ >CA/server.key

    #+END_SRC

*** Sign server cert with Root CA

    #+BEGIN_SRC sh

./tlsauth.py CA sign CA/public/server.pem

    #+END_SRC

*** Remove Root CA private key

It is important to remove and store the root CA private key in a safe

offline location, as it can be used to mount a MITM attack against all

users, who trust this key. You need this key in 1 year, when you need

to renew your client CA certificate (per default it's only valid for

one year!)

    #+BEGIN_SRC sh

mv root-ca/private/root.key 

    #+END_SRC

** Setup nginx

Adapt the path "/var/run/stash" and the hostname in stash.nginx.conf, then

#+BEGIN_SRC sh

cp stash.nginx.conf /etc/nginx/sites-available/stash

ln -s /etc/nginx/sites-available/stash /etc/nginx/sites-enabled/

/etc/init.d/nginx restart

#+END_SRC

** Create your own client certificate

This step is like setting up the admin account on other systems:

#+BEGIN_SRC sh

./tlsauth.py subCA newcsr joe joe@localhost >joe.key

./tlsauth.py subCA sign joe.cert

./tlsauth.py root-ca p12 joe.key joe.p12

#+END_SRC

Store the files ending in .key and .cert in some safe offline storage.

** Configure stash

edit cfg.py and set:

 - 'sender' to some email address for the origin of mails sent by stash

 - 'admins' is a list of emails, that when presented a certificate with

   an email in this list, the user will have admin privileges.

 - 'secret' to some long random string

 - 'root' to some path which will serve as root for all file operations.

 - 'ca' to the directory containing your CA files under 'root'

 - 'notify' to False if you don't want any notifications being sent out after uploads.

** Start stash wsgi daemon

#+BEGIN_SRC sh

uwsgi --socket 127.0.0.1:23023 --chdir $PWD --pp $PWD/.. -w stash -p 1 --py-auto-reload 1

#+END_SRC

** Importing certificates

Open in your favorite browser the following url:

http:///cert.pem



Which should offer you to automatically import the CA root certificate

into your browsers, and it also asks you what you want to trust it,

allow your browser to trust this CA with servers and user, but not

software.



Also download and import the .p12 certificate generated in "Create your own

client Certificate" into your browser.

** Done

visit:

 - To create a new stash: https:///settings/newstash

 - to list stashes: https:///settings/stashes

 - to list user access requests: https:///settings/requests



Your friends can now request access to your stash by going to:

https:///settings/register



However this generates the certificate in your browser, and if you -

as I - do not trust your browser, you might want to generate your keys

and certs offline in a more controlled environment and upload your CSR

here: https:///settings/request



Also my firefox did not store the generated key in the keystore, so i

had to use a proper CSR anyway.