Various functions and helper functions to establish encrypted files. To secure the content (any file) the Advanced Encryption Standard (AES) is applied with an ephemeral key consisting of 256 random bits. This key is only used once for encryption (and then one more time during decryption at a later stage). A random 128 bit initialization vector (iv) is also applied during encryption. There is no extra security gain in this since the key will never be re-used for encryption/decryption. So, just for good measures then :-) After the content has been encrypted the key itself is encrypted by applying a public key offered by the recipient. This key is obtained from a public provider. Currently, GitHub is the only option. The three files: encrypted content, the encrypted key and the (cleartext) iv is then bundled into a tarball ready for shipment.
Usage
enc_filename(filename)
make_pubkey_url(pubkey_holder = "github", pid)
get_pubkey(pubkey_holder, pid)
enc(filename, pubkey_holder, pid, pubkey = NULL)
Arguments
- filename
Character string with fully qualified path to a file.
- pubkey_holder
Character string defining the provider of the public key used for encryption of the symmetric key. Currently, 'github' is the only valid pubkey holder. If a local pubkey is to be used (see parameter
pubkey
,pubkey_holder
may be set to NULL or some other value.- pid
Character string uniquely defining the user at
pubkey_holder
who is also the owner of the public key.- pubkey
Character string representing a valid public key. Default is NULL in which case the key will be obtained as per
pubkey_holder
.
Details
Encrypted files can be decrypted outside R using the OpenSSL library. Both the key and the initialization vector (iv) are binary and this method uses the key directly (and not a [hashed] passphrase). OpenSSL decryption need to be fed the key (and iv) as a string of hex digits. Methods for conversion from binary to hex may vary between systems. Below, a bash shell (unix) example is given
Step 1: decrypt symmetric key (open envelope) using a private key
openssl rsautl -decrypt -inkey ~/.ssh/id_rsa -in key.enc -out key
Step 2: decrypt content by key obtained in step 1, also converting key and iv to strings of hexadecimal digits
openssl aes-256-cbc -d -in data.csv.enc -out data.csv \
-K $(hexdump -e '32/1 "%02x"' key) -iv $(hexdump -e '16/1 "%02x"' iv)
Examples
# Please note that these examples will write files to a local temporary
# directory.
## Define temporary working directory and a secret file name
wd <- tempdir()
secret_file_name <- "secret.rds"
## Add content to the secret file
saveRDS(iris, file = file.path(wd, secret_file_name), ascii = TRUE)
## Make a private-public key pair named "id_rsa" and "id_rsa.pub"
keygen(directory = wd, type = "rsa", overwrite_existing = TRUE)
#> sship: Key pair written to /private/var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/Rtmpt0SYTP
## Load public key
pubkey <- readLines(file.path(wd, "id_rsa.pub"))
## Make a secured file (ready for shipment)
secure_secret_file <- enc(filename = file.path(wd, "secret.rds"),
pubkey_holder = NULL, pubkey = pubkey)
#> sship: Content encrypted and ready for shipment: /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T//Rtmpt0SYTP/secret.rds__20221213_141800.tar.gz