I store encrypted (AES 256) files on nginx. I open them by GET request and use a key as a query parameter. For examaple http://www.my_secure_nginx.com/files/secret_audio.mp3?key=mysecretkey
Can you please suggest solution how to do it for nginx file server (maybe existing filters) to maintain chunked responses. In another words I need to do on-the-fly decryption files on nginx.
Asked
Active
Viewed 3,476 times
4
Oleg Dats
- 3,933
- 9
- 38
- 61
-
I am also imterested with this topic. Do you have any sample code already? Like deceryp proxied traffic? – aze2201 Jul 03 '23 at 17:10
1 Answers
0
The easiest way would be to write your own module for nginx in Lua. Lua-resty-string module already supports AES. Add some file handling code reading code and you are done. Lua modules are very quick as they work in non-blocking I/O.
The important part to remember about is handling a padding - the original file size must be stored somewhere (DB, xattr etc) and passed to or read by nginx.
Another non-trivial topic is eventual support of random access. Data must be AES encrypted in CTR mode for that. XTS, CBC, CFB are also fine but require a bit more development work.
gertas
- 16,869
- 1
- 76
- 58
-
And the difficulty with CTR mode is that the same key can never be re-used with different data. This is where most CTR breaches stem from. – zaph Dec 27 '15 at 21:37
-
Right, data security is multi-layered topic - one can weaken even strongest algorithm by no understanding of solution complexity. CTR can be improved by forcing write-once/read-many (WORM) with good random key salt per file. With write-many - Indeed it is the problem as key should remain the same for given block. The possible solution would be to transform it to versioned WORM filesystem. Each new write would create new salt thus new version of the entire file or just changed part. – gertas Jan 01 '16 at 16:38