The scenario:
A group of people are working on a sensitive data set that for practical reasons needs to be stored in a place that we’re not 100% happy with the security (e.g., Dropbox), or we’re concerned that files stored in plain text on users computers (e.g. laptops) may lead to the data being compromised.
If the data can be stored encrypted but everyone in the group can
still read and write the data then we’ve improved the situation
somewhat. But organising for everyone to get a copy of the key to
decrypt the data files is non-trivial. The workflow described here aims
to simplify this procedure using lower-level functions in the
cyphr
package.
The general procedure is this:
A person will set up a set of personal keys and a key for the data. The data key will be encrypted with their personal key so they have access to the data but nobody else does. At this point the data can be encrypted.
Additional users set up personal keys and request access to the data. Anyone with access to the data can grant access to anyone else.
Before doing any of this, everyone needs to have ssh keys set up. By default the package will use your ssh keys found at “~/.ssh”; see the main package vignette for how to use this.
For clarity here we will generate two sets of key pairs for two actors Alice and Bob:
path_key_alice <- cyphr::ssh_keygen(password = FALSE)
path_key_bob <- cyphr::ssh_keygen(password = FALSE)
These would ordinarily be on different machines (nobody has access to
anyone else’s private key) and they would be password protected. In the
function calls below, all the path_user
arguments would be
omitted.
We’ll store data in the directory data
; at present there
is nothing there (this is in a temporary directory for compliance with
CRAN policies but would ordinarily be somewhere persistent and under
version control ideally).
data_dir <- file.path(tempdir(), "data")
dir.create(data_dir)
dir(data_dir)
## character(0)
First, create a personal set of keys. These will be
shared across all projects and stored away from the data. Ideally one
would do this with ssh-keygen
at the command line,
following one of the many guides available. A utility function
ssh_keygen
(which simply calls ssh-keygen
for
you) is available in this package though. You will need to generate a
key on each computer you want access from. Don’t copy the key around. If
you lose your user key you will lose access to the data!
Second, create a key for the data and encrypt that key with your personal key. Note that the data key is never stored directly - it is always stored encrypted by a personal key.
cyphr::data_admin_init(data_dir, path_user = path_key_alice)
## Generating data key
## Authorising ourselves
## Adding key 39:77:f2:6e:f8:10:23:d2:08:3f:d7:0b:7c:7b:6c:55:ed:75:c8:50:eb:25:5c:a6:46:fa:7b:5e:ca:45:2f:51
## user: root
## host: 709e98efa5ba
## date: 2024-10-28 06:06:31.133598
## Verifying
The data key is very important. If it is deleted, then the data
cannot be decrypted. So do not delete the directory
data_dir/.cyphr
! Ideally add it to your version control
system so that it cannot be lost. Of course, if you’re working in a
group, there are multiple copies of the data key (each encrypted with a
different person’s personal key) which reduces the chance of total
loss.
This command can be run multiple times safely; if it detects it has been rerun and the data key will not be regenerated.
cyphr::data_admin_init(data_dir, path_user = path_key_alice)
## Already set up at /tmp/Rtmp8KxfBK/data
## Verifying
Third, you can add encrypted data to the directory
(or to anywhere really). When run, cyphr::config_data
will
verify that it can actually decrypt things.
key <- cyphr::data_key(data_dir, path_user = path_key_alice)
This object can be used with all the cyphr
functions
(see the “cyphr” vignette; vignette("cyphr")
)
filename <- file.path(data_dir, "iris.rds")
cyphr::encrypt(saveRDS(iris, filename), key)
dir(data_dir)
## [1] "iris.rds"
The file is encrypted and so cannot be read with
readRDS
:
readRDS(filename)
## Error in readRDS(filename): unknown input format
But we can decrypt and read it:
## Sepal.Length Sepal.Width Petal.Length Petal.Width Species
## 1 5.1 3.5 1.4 0.2 setosa
## 2 4.9 3.0 1.4 0.2 setosa
## 3 4.7 3.2 1.3 0.2 setosa
## 4 4.6 3.1 1.5 0.2 setosa
## 5 5.0 3.6 1.4 0.2 setosa
## 6 5.4 3.9 1.7 0.4 setosa
Fourth, have someone else join in. Recall that to
simulate another person here, I’m going to pass an argument
path_user = path_key_bob
though to the functions. This
contains the path to “Bob”’s ssh keypair. If run on an actually
different computer this would not be needed; this is just to simulate
two users in a single session for this vignette (see minimal example
below where this is simulated). Again, typically this user would also
not use the cyphr::ssh_keygen
function but use the
ssh-keygen
command from their shell.
We’re going to assume that the user can read and write to the data. This is the case for my use case where the data are stored on dropbox and will be the case with GitHub based distribution, though there would be a pull request step in here.
This user cannot read the data, though trying to will print a message explaining how you might request access:
key_bob <- cyphr::data_key(data_dir, path_user = path_key_bob)
But bob
is your collaborator and needs access! What they
need to do is run:
cyphr::data_request_access(data_dir, path_user = path_key_bob)
## A request has been added
## Email someone with access to add you
##
## hash: 58:b8:97:33:a4:6f:57:d5:99:cc:e9:49:47:ff:8a:b9:f4:1c:50:7d:d4:f4:78:8c:53:8e:7e:dd:f8:2a:91:14
##
## If you are using git, you will need to commit and push first:
##
## git add .cyphr
## git commit -m "Please add me to the dataset"
## git push
(again, ordinarily you would not need the bob
bit
here)
The user should the send an email to someone with access and quote the hash in the message above.
Fifth, back on the first computer we can authorise the second user. First, see who has requested access:
req <- cyphr::data_admin_list_requests(data_dir)
req
## 1 key:
## 58:b8:97:33:a4:6f:57:d5:99:cc:e9:49:47:ff:8a:b9:f4:1c:50:7d:d4:f4:78:8c:53:8e:7e:dd:f8:2a:91:14
## user: root
## host: 709e98efa5ba
## date: 2024-10-28 06:06:31.600158
We can see the same hash here as above
(58b89733a46f57d599cce94947ff8ab9f41c507dd4f4788c538e7eddf82a9114
)
…and then grant access to them with the
cyphr::data_admin_authorise
function.
cyphr::data_admin_authorise(data_dir, yes = TRUE, path_user = path_key_alice)
## There is 1 request for access
## Adding key 58:b8:97:33:a4:6f:57:d5:99:cc:e9:49:47:ff:8a:b9:f4:1c:50:7d:d4:f4:78:8c:53:8e:7e:dd:f8:2a:91:14
## user: root
## host: 709e98efa5ba
## date: 2024-10-28 06:06:31.600158
## Added 1 key
## If you are using git, you will need to commit and push:
##
## git add .cyphr
## git commit -m "Authorised root"
## git push
If you do not specify yes = TRUE
will prompt for
confirmation at each key added.
This has cleared the request queue:
cyphr::data_admin_list_requests(data_dir)
## (empty)
and added it to our set of keys:
cyphr::data_admin_list_keys(data_dir)
## 2 keys:
## 39:77:f2:6e:f8:10:23:d2:08:3f:d7:0b:7c:7b:6c:55:ed:75:c8:50:eb:25:5c:a6:46:fa:7b:5e:ca:45:2f:51
## user: root
## host: 709e98efa5ba
## date: 2024-10-28 06:06:31.133598
## 58:b8:97:33:a4:6f:57:d5:99:cc:e9:49:47:ff:8a:b9:f4:1c:50:7d:d4:f4:78:8c:53:8e:7e:dd:f8:2a:91:14
## user: root
## host: 709e98efa5ba
## date: 2024-10-28 06:06:31.600158
Finally, as soon as the authorisation has happened, the user can encrypt and decrypt files:
key_bob <- cyphr::data_key(data_dir, path_user = path_key_bob)
head(cyphr::decrypt(readRDS(filename), key_bob))
## Sepal.Length Sepal.Width Petal.Length Petal.Width Species
## 1 5.1 3.5 1.4 0.2 setosa
## 2 4.9 3.0 1.4 0.2 setosa
## 3 4.7 3.2 1.3 0.2 setosa
## 4 4.6 3.1 1.5 0.2 setosa
## 5 5.0 3.6 1.4 0.2 setosa
## 6 5.4 3.9 1.7 0.4 setosa
Minimal example
As above, but with less discussion:
Setup, on Alice’s computer:
cyphr::data_admin_init(data_dir, path_user = path_key_alice)
## Generating data key
## Authorising ourselves
## Adding key 39:77:f2:6e:f8:10:23:d2:08:3f:d7:0b:7c:7b:6c:55:ed:75:c8:50:eb:25:5c:a6:46:fa:7b:5e:ca:45:2f:51
## user: root
## host: 709e98efa5ba
## date: 2024-10-28 06:06:32.064897
## Verifying
Get the data key key:
key <- cyphr::data_key(data_dir, path_user = path_key_alice)
Encrypt a file:
Request access, on Bob’s computer:
hash <- cyphr::data_request_access(data_dir, path_user = path_key_bob)
## A request has been added
## Email someone with access to add you
##
## hash: 58:b8:97:33:a4:6f:57:d5:99:cc:e9:49:47:ff:8a:b9:f4:1c:50:7d:d4:f4:78:8c:53:8e:7e:dd:f8:2a:91:14
##
## If you are using git, you will need to commit and push first:
##
## git add .cyphr
## git commit -m "Please add me to the dataset"
## git push
Alice authorises this request::
cyphr::data_admin_authorise(data_dir, yes = TRUE, path_user = path_key_alice)
## There is 1 request for access
## Adding key 58:b8:97:33:a4:6f:57:d5:99:cc:e9:49:47:ff:8a:b9:f4:1c:50:7d:d4:f4:78:8c:53:8e:7e:dd:f8:2a:91:14
## user: root
## host: 709e98efa5ba
## date: 2024-10-28 06:06:32.263529
## Added 1 key
## If you are using git, you will need to commit and push:
##
## git add .cyphr
## git commit -m "Authorised root"
## git push
Bob can get the data key:
key <- cyphr::data_key(data_dir, path_user = path_key_bob)
Bob can read the secret data:
## Sepal.Length Sepal.Width Petal.Length Petal.Width Species
## 1 5.1 3.5 1.4 0.2 setosa
## 2 4.9 3.0 1.4 0.2 setosa
## 3 4.7 3.2 1.3 0.2 setosa
## 4 4.6 3.1 1.5 0.2 setosa
## 5 5.0 3.6 1.4 0.2 setosa
## 6 5.4 3.9 1.7 0.4 setosa
Details & disclosure
Encryption does not work through security through obscurity; it works because we can rely on the underlying maths enough to be open about how things are stored and where.
Most encryption libraries require some degree of security in the underlying software. Because of the way R works this is very difficult to guarantee; it is trivial to rewrite code in running packages to skip past verification checks. So this package is not designed to (or able to) avoid exploits in your running code; an attacker could intercept your private keys, the private key to the data, or skip the verification checks that are used to make sure that the keys you load are what they say they are. However, the data are safe; only people who have keys to the data will be able to read it.
cyphr
uses two different encryption algorithms; it uses
RSA encryption via the openssl
package for user keys,
because there is a common file format for these keys so it makes user
configuration easier. It uses the modern sodium package (and through
that the libsodium library) for data encryption because it is very fast
and simple to work with. This does leave two possible points of weakness
as a vulnerability in either of these libraries could lead to an exploit
that could allow decryption of your data.
Each user has a public/private key pair. Typically this is in
~/.ssh/id_rsa.pub
and ~/.ssh/id_rsa
, and if
found these will be used. Alternatively the location of the keypair can
be stored elsewhere and pointed at with the USER_KEY
or
USER_PUBKEY
environment variables. The key may be password
protected (and this is recommended!) and the password will be requested
without ever echoing it to the terminal.
The data directory has a hidden directory .cyphr
in
it.
dir(data_dir, all.files = TRUE, no.. = TRUE)
## [1] ".cyphr" "iris.rds"
This does not actually need to be stored with the data but it makes sense to (there are workflows where data is stored remotely where storing this directory might make sense). The “keys” directory contains a number of files; one for each person who has access to the data.
## [1] "3977f26ef81023d2083fd70b7c7b6c55ed75c850eb255ca646fa7b5eca452f51"
## [2] "58b89733a46f57d599cce94947ff8ab9f41c507dd4f4788c538e7eddf82a9114"
names(cyphr::data_admin_list_keys(data_dir))
## [1] "3977f26ef81023d2083fd70b7c7b6c55ed75c850eb255ca646fa7b5eca452f51"
## [2] "58b89733a46f57d599cce94947ff8ab9f41c507dd4f4788c538e7eddf82a9114"
(the file test
is a small file encrypted with the data
key used to verify everything is working OK).
Each file is stored in RDS format and is a list with elements:
- user: the reported user name of the person who created request for data
- host: the reported computer name
- date: the time the request was generated
- pub: the RSA public key of the user
- key: the data key, encrypted with the user key. Without the private key, this cannot be used. With the user’s private key this can be used to generate the symmetric key to the data.
h <- names(cyphr::data_admin_list_keys(data_dir))[[1]]
readRDS(file.path(data_dir, ".cyphr", "keys", h))
## $user
## [1] "root"
##
## $host
## [1] "709e98efa5ba"
##
## $date
## [1] "2024-10-28 06:06:32 UTC"
##
## $pub
## [2048-bit rsa public key]
## md5: 4b35907f9bd121862f30e05cccc06653
## sha256: 3977f26ef81023d2083fd70b7c7b6c55ed75c850eb255ca646fa7b5eca452f51
##
## $key
## [1] 9c 38 15 1c 76 2d ca 93 6e 9a 14 54 14 c1 23 23 b2 32 ee 12 dd 9c 2b 7c 0e
## [26] 71 fa f0 1a 6a 38 e3 21 21 a4 12 ce 0b 99 15 cc e9 84 a8 64 dc b5 af f7 4e
## [51] 1a 9a 72 65 c8 49 8b d0 e6 d0 a0 40 a7 b8 36 26 63 9f a7 86 36 e3 1e 1f 5b
## [76] a9 53 8f bb ff ed 71 e0 2a 4a a6 47 56 0f 44 d4 01 35 19 94 e5 d6 f9 df d3
## [101] 40 23 89 26 45 24 c7 fc c8 12 5c b2 1f dd 3c da 4a 4f a8 2e 4a be 61 f7 0c
## [126] 0e 42 f2 a4 3d 7e 93 74 d3 74 25 06 e3 d0 e3 b5 f7 be 0c 15 17 9c db 31 f4
## [151] bd 8e df f9 d5 bc aa d5 3b bc df 5a 44 be d1 21 09 4d d0 cd 7c 60 87 37 44
## [176] fb e6 d8 c2 71 cc 22 b7 f6 0a 2b 50 57 e5 7b 17 bd 66 ea 42 ba 80 fe 23 06
## [201] 79 6b bb 98 66 8b 3b 75 c0 80 7a 9c a2 da 87 08 5b 0a 2b e8 f7 36 d4 6a 72
## [226] 38 d8 ee c9 14 dc 87 8b 88 1b ad af d9 af 1a 5e 9c dd 4e b0 3d 01 15 ae 86
## [251] 7b b9 78 6c a1 62
You can see that the hash of the public key is the same as name of the stored file here (which is used to prevent collisions when multiple people request access at the same time).
h
## [1] "3977f26ef81023d2083fd70b7c7b6c55ed75c850eb255ca646fa7b5eca452f51"
When a request is posted it is an RDS file with all of the above
except for the key
element, which is added during
authorisation.
(Note that the verification relies on the package code not being
attacked, and given R’s highly dynamic nature an attacker could easily
swap out the definition for the verification function with something
that always returns TRUE
.)
When an authorised user creates the data_key
object
(which allows decryption of the data) secret
will:
- read their private user key (probably from
~/.ssh/id_rsa
) - read the encrypted data key from the data directory (the
$key
element from the list above). - decrypt this data key using their user key to yield the the data symmetric key.
Limitations
In the Dropbox scenario, non-password protected keys will afford only limited protection. This is because even though the keys and data are stored separately on Dropbox, they will be in the same place on a local computer; if that computer is lost then the only thing preventing an attacker recovering the data is security through obscurity (the data would appear to be random junk but they will be able to run your analysis scripts as easily as you can). Password protected keys will improve this situation considerably as without a password the data cannot be recovered.
The data is not encrypted during a running R session. R allows arbitrary modification of code at runtime so this package provides no security from the point where the data can be decrypted. If your computer was compromised then stealing the data while you are running R should be assumed to be straightforward.