ExfileEncryption

Transparent backend encryption / decryption for Exfile.

ExfileEncryption uses AES-GCM in 256-bit key mode. The file format is documented.

Installation

1. Add exfile_encryption to your list of dependencies in mix.exs:

def deps do
  [{:exfile_encryption, "~> 0.0.2"}]
end

1. Ensure exfile_encryption is started before your application:

def application do
  [applications: [:exfile_encryption]]
end

Usage

exfile_encryption registers two processors.

• encrypt
• decrypt

encrypt accepts a single argument, key: a string that will be hashed with SHA-256 and used as the encryption key. Note that while the key is not salted, a random IV is generated for each file.

decrypt accepts either key with a single key or a list of accepted keys in keys.

Configuration

exfile_encryption is designed to be used with Exfile’s pre- and post-processing support.

Sample configuration of a backend that uses exfile_encryption to encrypt files stored on the “store” store

config :exfile, Exfile,
  backends: %{
    "store" => {Exfile.Backend.FileSystem,
      directory: "/var/lib/my-store",
      max_size: nil,
      hasher: Exfile.Hasher.Random,
      preprocessors: [{"encrypt", [], [key: "don't tell anyone!"]}],
      postprocessors: [{"decrypt", [], [key: "don't tell anyone!"]}]
    }
  }

Sample configuration of a backend that will encrypt newly uploaded files with one key, but accept multiple decryption keys. See Issue #1 to see when / why this should be used.

config :exfile, Exfile,
  backends: %{
    "store" => {Exfile.Backend.FileSystem,
      directory: "/var/lib/my-store",
      max_size: nil,
      hasher: Exfile.Hasher.Random,
      preprocessors: [{"encrypt", [], [key: "don't tell anyone!"]}],
      postprocessors: [{"decrypt", [], [keys: ["don't tell anyone!", "old key"]]}]
    }
  }