[Encryption-Idea] use the recovery key to re-encrypt files if user was added to group #10010
Comments
|
The "special cases" that brought this discussion alive were all from an environment where there is in fact a sysadmin, who will do the necessary manual steps, i think they even will be able to set up the recovery for all users affected. I am for solution 2 (or something based on that), and will be happy if i can help to realize it in any way. |
|
Interesting that no one found this corner-case before. I think option 2 is the best. But it should be visible in the web-interface somehow that is step is needed. It should also be integrated into occ. |
|
I'm for 2 also.I think when the administrator creates a user and add it into a group, he already knows that he has to run the script (overnight) to re-share the files. I think a good documentation should be prepared, this way the user of ownCloud knows that encryption needs more attention after activated than a system without it. |
|
To be honest guys… I really don’t think this makes much sense in an enterprise setting… There really needs to be some level of automation here.. you can’t expect an administrator of a 5000-10000 user OC system to be keeping track of these types of things (scripts he/she needs to run when adding a user to a group). It really starts to impact our ability to scale if you force an admin to do this. If we need to run this as a script, we need to automate it with a specific trigger, perhaps we can automate using cron and generate the job with a script that looks for new users in a group (could also be a database job) and then trigger the re-encrypt if needed…. I just don’t think we can hand this script to an admin and tell them to run it every time a group changes we just need to think more around automation for scale!! Just my 2 cents! BB On July 31, 2014 at 5:16:37 AM, Carlos Damken ([email protected]) wrote: I'm for 2 also.I think when the administrator creates a user and add it into a group, he already knows that he has to run the script (overnight) to re-share the files. I think a good documentation should be prepared, this way the user of ownCloud knows that encryption needs more attention after activated than a system without it. @ser72 and @bboule can give us some input too — |
That's not possible, because the script needs the recovery password and you don't want to store a password in plain text (on the database or in a script) which gives you access to all files. We need to keep the general thought in mind, which I stated at the beginning: "encryption is always a trade-off between security and convenience, you can't have both at 100%". You want to use encryption because you want more security. Namely, you want that only those people have access to your files to whom you grant access. This makes it impossible to implement any automated process to "randomly" give users access to your files without your explicit approval. |
|
From my view, especially an enterprise setting does not have 5-10 thousands of users who use group shared encryption, the opposite happens: there may be working groups, who have 5-10thousands of files shared with serverside encryption. I support the idea to try to automate it with a specific backgroud job, BUT NOT CRON and in no means with storing any password plaintext (already begun some thoughts in #9386 ) |
|
I think you have to look at it from the perspective of an enterprise having 5-10k users (or larger)... orgs of that size you really can't have a product that expects the admin to keep track of changes in group membership and then manually running scripts every time this happens without some level if automation... It simply does not scale... As far as orgs that size not using encryption with groups that are sharing... I guess we can agree to disagree :) I guess we just need to account for the scalability of a solution from an admin overhead perspective for large scale deployments. Just something to consider I guess!! ---Bob BouleSr. Solution ArchitectOwnCloud978.751.1005Twitter: @bobboule On July 31, 2014 at 7:56:18 AM EDT, Gergely Nagy [email protected] wrote:From my view, especially an enterprise setting does not have 5-10 thousands of users who use group shared encryption, the opposite happens: there may be working groups, who have 5-10thousands of files shared with serverside encryption. I support the idea to try to automate it with a specific backgroud job, BUT NOT CRON and in no means with storing any password plaintext (already begun some thoughts in #9386 ) —Reply to this email directly or view it on GitHub. |
|
Also keep in mind if the enterprise uses LDAP authentication (which most do), The LDAP admin may add users to the groups, and the ownCloud admin, who may be a different person, may not be aware of these additions and then wouldn't know to run a script manually. I agree with @bboule Needs to be automated in some way for the Enterprise. |
|
@bboule i accept your point of view, the only obstacle left, is the safe, and secure solution for the automation (containing LDAP polling etc) |
|
The core issue is this:
From my point of view, we do need to design in large scale operations, with many users coming and going and group memberships changing daily. What if we created a group key? This is not simple, I know, but if a user is a member of a group and has that key too...it could solve this. |
This doesn't solve the problem but just moves it from the file key to the group key. To make sure that the group key can only be used by the group members you need to encrypt the group key with the public keys of the group members. Basically you will end up with the same pattern as for the file keys. There is one thing which we could improve by introducing a group key: Given that the group key is also encrypted with the recovery key, we would only need to add the new user to the group key instead of adding him to all file keys. This way we could do it on the fly (solution 1) if the admin manipulates the groups on the web interface. It would also reduce the overall problem. Once the user is added to the group key he can access all group shares, also group shares initiated by someone else. |
|
Ok, I see that. Back to the top, there are a few use cases here to be sure we capture:
Type B: Group memberships that admins change in other systems:
So in this situation of A, there is probably a reasonable way for handling the process via a prompt or something in the UI cached in a session or with a timeout so it isn't stored on the server, but makes high volume changes easy. The issue is B. If there is no interaction, there can be no prompt. For this, is there a way to store this password encrypted in the database? Then an admin has an option: If they want to be secure, they have to use the Web UI and do this themselves. Or, if they mind being a little less secure but making it easier to manage, they can choose to store the passphrase encrypted in the database. Reasonable? |
There is a background job that runs once an hour and checks and updates group memberships. It will fire the corresponding hooks. |
|
@MTRichards thanks for the summery of the two use cases and thanks @blizzz for clarifying the LDAP issue. I agree with @MTRichards that "Type A" can be handled within the ownCloud user management and the recovery key if we opt for the additional group keys and if we operate in a environment where the recovery key is enforced. For Type B we could track the changes in database table. This should be possible at least for the provisioning API and for LDAP (as explained by @blizzz). I'm not sure about the other auth methods. But they could probably do something similar like LDAP. Basically this would mean that we would maintain a list of modified groups. Once a user log in we could check if the user is a member of one of the modified groups, if yes we could use the users private key to decrypt the group key and encrypt it again with the new list of public keys. As soon as one member of a modified group log-in, all group shares would work for the new set of group members again. I also thought about it during the weekend. I think the group keys is the best thing we can do to solve this issue from a user/admin point of view. It still wouldn't be a 100% solution because in order to work the ownCloud setup would need to meet some specific criteria (recovery key enabled for all users, and the TypeA vs TypeB differences). I think from the user/admin point of view this would work. I worry a bit about the additional complexity. Already today it is hard to understand how file-key, share-key, private-key, public-key and the special purpose keys (share-link-keys and recovery-keys) work together. With the group keys we would introduce quite some new keys. We would have additionally to the existing keys following extra keys:
Thinking about large set-ups you could imagine that this would result in a lot of extra keys we and also the admins would need to manage. |
Not really. Because how would you encrypt the recovery password? For encryption you would again need a key or a password, and where do you store this password/key then? To decrypt something encrypted you always need some kind of user interaction otherwise it will never be secure. |
|
@MTRichards @schiesbn How is the status for this issue?, will be planned for oC8? and if, which will be the procedure for the user? |
|
Not entirely sure where we stand. |
|
I (and @gig13 , thanks Allen) tested this again today. We get a nice message now "please ask the owner of the file to reshare it with you". this is better than losing data. Question: Can't we effectively do the same this programmatically if the recovery key is enabled? |
|
Our company has several OwnCloud servers set up in separate offices and all of those use LDAP authentication, so our use-case is indeed the one where admin interaction cannot be assumed at all times. How about handing over the responsibility of re-sharing data to the file owner? Something like:
In that case re-encryption would be visible and not be done behind users' backs. All this activity should be logged too. |
|
@cdamken looks like this has moved to 9 are you able to update the user? |
|
I informed to our partner, he is the one who has contact with the customer. BTW, the new information from this case is here: https://github.com/owncloud/enterprise/issues/482 |
|
The above link about enterprise#482 does not work :( |
It's internal stuff for employees only, because it could contain confidential data ;) |
ghost
modified the milestones:
|
Moving to 9.2. Might be worth looking into it. But there was also this parallel discussion: #16332 (comment) |
|
Moving to backlog, needs to be reevaluated and scheduled. This could take 5-10 md including research and testing. |
There is a simpler system nowadays: master key encryption |
|
This issue has been automatically closed. |
I discussed the problem with @cdamken that user often have problems if they add new users to a group because by default the new user will not be able to decrypt the files shared with the group.
There is only one possible solution I could think of:
General thoughts:
Precondition:
Solution 1:
Advantage: the new user will get immediately access to the file
Disadvantage: for large installation this could take a long time.
Solution 2:
Advantage: The script could be executed by the admin in the background
Disadvantage: extra manual step for the admin
I think solution 1 is a no-go because we can't expect that the admin needs to wait for a long time after he added a user to a group until all the re-encryption was finished.
Solution could be possible if we really want to go this way. What we need to consider:
I tend to stay away from the technical solution and continue with the personal solution: "Hey, I'm new in your working group, please re-share the document with me so that I can work on it." Other encryption systems also doesn't provide any automated solution to add new users. But if it is really important for some users we could think about implementing solution 2 after considering all the advantages and disadvantages.
cc @craigpg @karlitschek @MTRichards
The text was updated successfully, but these errors were encountered: