Data Encryption

Rich FitzJohn

2019-03-22

The scenario:

A group of people are working on a sensitive data set that for practical reasons needs to be stored in a place that we’re not 100% happy with the security (e.g., Dropbox), or we’re concerned that files stored in plain text on users computers (e.g. laptops) may lead to the data being compromised.

If the data can be stored encrypted but everyone in the group can still read and write the data then we’ve improved the situation somewhat. But organising for everyone to get a copy of the key to decrypt the data files is non-trivial. The workflow described here aims to simplify this procedure using lower-level functions in the cyphr package.

The general procedure is this:

  1. A person will set up a set of personal keys and a key for the data. The data key will be encrypted with their personal key so they have access to the data but nobody else does. At this point the data can be encrypted.

  2. Additional users set up personal keys and request access to the data. Anyone with access to the data can grant access to anyone else.

Before doing any of this, everyone needs to have ssh keys set up. By default the package will use your ssh keys found at “~/.ssh”; see the main package vignette for how to use this.

For clarity here we will generate two sets of key pairs for two actors Alice and Bob:

path_key_alice <- cyphr::ssh_keygen(password = FALSE)
path_key_bob <- cyphr::ssh_keygen(password = FALSE)

These would ordinarily be on different machines (nobody has access to anyone else’s private key) and they would be password protected. In the function calls below, all the path_user arguments would be omitted.

We’ll store data in the directory data; at present there is nothing there (this is in a temporary directory for compliance with CRAN policies but would ordinarily be somewhere persistent and under version control ideally).

data_dir <- file.path(tempdir(), "data")
dir.create(data_dir)
dir(data_dir)
## character(0)

First, create a personal set of keys. These will be shared across all projects and stored away from the data. Ideally one would do this with ssh-keygen at the command line, following one of the many guides available. A utility function ssh_keygen (which simply calls ssh-keygen for you) is available in this package though. You will need to generate a key on each computer you want access from. Don’t copy the key around. If you lose your user key you will lose access to the data!

Second, create a key for the data and encrypt that key with your personal key. Note that the data key is never stored directly - it is always stored encrypted by a personal key.

cyphr::data_admin_init(data_dir, path_user = path_key_alice)
## Generating data key
## Authorising ourselves
## Adding key bc:8f:63:d7:cb:d5:5f:17:6e:9a:0b:d3:93:ac:3d:1d
##   user: rfitzjoh
##   host: dyn3181-4.wlan.ic.ac.uk
##   date: 2019-03-22 11:43:44
## Verifying

The data key is very important. If it is deleted, then the data cannot be decrypted. So do not delete the directory data_dir/.cyphr! Ideally add it to your version control system so that it cannot be lost. Of course, if you’re working in a group, there are multiple copies of the data key (each encrypted with a different person’s personal key) which reduces the chance of total loss.

This command can be run multiple times safely; if it detects it has been rerun and the data key will not be regenerated.

cyphr::data_admin_init(data_dir, path_user = path_key_alice)
## Already set up
## Verifying

Third, you can add encrypted data to the directory (or to anywhere really). When run, cyphr::config_data will verify that it can actually decrypt things.

key <- cyphr::data_key(data_dir, path_user = path_key_alice)

This object can be used with all the cyphr functions (see the “cyphr” vignette; vignette("cyphr"))

filename <- file.path(data_dir, "iris.rds")
cyphr::encrypt(saveRDS(iris, filename), key)
dir(data_dir)
## [1] "iris.rds"

The file is encrypted and so cannot be read with readRDS:

readRDS(filename)
## Error in readRDS(filename): unknown input format

But we can decrypt and read it:

head(cyphr::decrypt(readRDS(filename), key))
##   Sepal.Length Sepal.Width Petal.Length Petal.Width Species
## 1          5.1         3.5          1.4         0.2  setosa
## 2          4.9         3.0          1.4         0.2  setosa
## 3          4.7         3.2          1.3         0.2  setosa
## 4          4.6         3.1          1.5         0.2  setosa
## 5          5.0         3.6          1.4         0.2  setosa
## 6          5.4         3.9          1.7         0.4  setosa

Fourth, have someone else join in. Recall that to simulate another person here, I’m going to pass an argument path_user = path_key_bob though to the functions. This contains the path to “Bob”’s ssh keypair. If run on an actually different computer this would not be needed; this is just to simulate two users in a single session for this vignette (see minimal example below where this is simulated). Again, typically this user would also not use the cyphr::ssh_keygen function but use the ssh-keygen command from their shell.

We’re going to assume that the user can read and write to the data. This is the case for my use case where the data are stored on dropbox and will be the case with GitHub based distribution, though there would be a pull request step in here.

This user cannot read the data, though trying to will print a message explaining how you might request access:

key_bob <- cyphr::data_key(data_dir, path_user = path_key_bob)
## Error: Key file not found; you may not have access
## (looked in /var/folders/z7/c2kx_kt96zn2tt_6179bkc4m0000gp/T//Rtmp4OHgUv/data/.cyphr/51413595e153747977ef497bc5fc1504)
## To request access, run:
##   data_request_access("/var/folders/z7/c2kx_kt96zn2tt_6179bkc4m0000gp/T//Rtmp4OHgUv/data")

But bob is your collaborator and needs access! What they need to do is run:

cyphr::data_request_access(data_dir, path_user = path_key_bob)
## A request has been added
## Email someone with access to add you.
##  hash: 51:41:35:95:e1:53:74:79:77:ef:49:7b:c5:fc:15:04

(again, ordinarily you would not need the bob bit here)

The user should the send an email to someone with access and quote the hash in the message above.

Fifth, back on the first computer we can authorise the second user. First, see who has requested access:

req <- cyphr::data_admin_list_requests(data_dir)
req
## 1 key:
##   51:41:35:95:e1:53:74:79:77:ef:49:7b:c5:fc:15:04
##     user: rfitzjoh
##     host: dyn3181-4.wlan.ic.ac.uk
##     date: 2019-03-22 11:43:44

We can see the same hash here as above (51413595e153747977ef497bc5fc1504)

…and then grant access to them with the cyphr::data_admin_authorise function.

cyphr::data_admin_authorise(data_dir, yes = TRUE, path_user = path_key_alice)
## There is 1 request for access
## Adding key 51:41:35:95:e1:53:74:79:77:ef:49:7b:c5:fc:15:04
##   user: rfitzjoh
##   host: dyn3181-4.wlan.ic.ac.uk
##   date: 2019-03-22 11:43:44
## Added 1 key

If you do not specify yes = TRUE will prompt for confirmation at each key added.

This has cleared the request queue:

cyphr::data_admin_list_requests(data_dir)
## (empty)

and added it to our set of keys:

cyphr::data_admin_list_keys(data_dir)
## 2 keys:
##   51:41:35:95:e1:53:74:79:77:ef:49:7b:c5:fc:15:04
##     user: rfitzjoh
##     host: dyn3181-4.wlan.ic.ac.uk
##     date: 2019-03-22 11:43:44
##   bc:8f:63:d7:cb:d5:5f:17:6e:9a:0b:d3:93:ac:3d:1d
##     user: rfitzjoh
##     host: dyn3181-4.wlan.ic.ac.uk
##     date: 2019-03-22 11:43:44

Finally, as soon as the authorisation has happened, the user can encrypt and decrypt files:

key_bob <- cyphr::data_key(data_dir, path_user = path_key_bob)
head(cyphr::decrypt(readRDS(filename), key_bob))
##   Sepal.Length Sepal.Width Petal.Length Petal.Width Species
## 1          5.1         3.5          1.4         0.2  setosa
## 2          4.9         3.0          1.4         0.2  setosa
## 3          4.7         3.2          1.3         0.2  setosa
## 4          4.6         3.1          1.5         0.2  setosa
## 5          5.0         3.6          1.4         0.2  setosa
## 6          5.4         3.9          1.7         0.4  setosa

Minimal example

As above, but with less discussion:

Setup, on alice’s computer computer:

cyphr::data_admin_init(data_dir, path_user = path_key_alice)
## Generating data key
## Authorising ourselves
## Adding key bc:8f:63:d7:cb:d5:5f:17:6e:9a:0b:d3:93:ac:3d:1d
##   user: rfitzjoh
##   host: dyn3181-4.wlan.ic.ac.uk
##   date: 2019-03-22 11:43:44
## Verifying

Get the data key key:

key <- cyphr::data_key(data_dir, path_user = path_key_alice)

Encrypt a file:

cyphr::encrypt(saveRDS(iris, filename), key)

Request access, on Bob’s computer computer:

hash <- cyphr::data_request_access(data_dir, path_user = path_key_bob)
## A request has been added
## Email someone with access to add you.
##  hash: 51:41:35:95:e1:53:74:79:77:ef:49:7b:c5:fc:15:04

Alice authorises this request::

cyphr::data_admin_authorise(data_dir, yes = TRUE, path_user = path_key_alice)
## There is 1 request for access
## Adding key 51:41:35:95:e1:53:74:79:77:ef:49:7b:c5:fc:15:04
##   user: rfitzjoh
##   host: dyn3181-4.wlan.ic.ac.uk
##   date: 2019-03-22 11:43:44
## Added 1 key

Bob can get the data key:

key <- cyphr::data_key(data_dir, path_user = path_key_bob)

Bob can read the secret data:

head(cyphr::decrypt(readRDS(filename), key))
##   Sepal.Length Sepal.Width Petal.Length Petal.Width Species
## 1          5.1         3.5          1.4         0.2  setosa
## 2          4.9         3.0          1.4         0.2  setosa
## 3          4.7         3.2          1.3         0.2  setosa
## 4          4.6         3.1          1.5         0.2  setosa
## 5          5.0         3.6          1.4         0.2  setosa
## 6          5.4         3.9          1.7         0.4  setosa

Details & disclosure

Encryption does not work through security through obscurity; it works because we can rely on the underlying maths enough to be open about how things are stored and where.

Most encryption libraries require some degree of security in the underlying software. Because of the way R works this is very difficult to guarantee; it is trivial to rewrite code in running packages to skip past verification checks. So this package is not designed to (or able to) avoid exploits in your running code; an attacker could intercept your private keys, the private key to the data, or skip the verification checks that are used to make sure that the keys you load are what they say they are. However, the data are safe; only people who have keys to the data will be able to read it.

cyphr uses two different encryption algorithms; it uses RSA encryption via the openssl package for user keys, because there is a common file format for these keys so it makes user configuration easier. It uses the modern sodium package (and through that the libsodium library) for data encryption because it is very fast and simple to work with. This does leave two possible points of weakness as a vulnerability in either of these libraries could lead to an exploit that could allow decryption of your data.

Each user has a public/private key pair. Typically this is in ~/.ssh/id_rsa.pub and ~/.ssh/id_rsa, and if found these will be used. Alternatively the location of the keypair can be stored elsewhere and pointed at with the USER_KEY or USER_PUBKEY environment variables. The key may be password protected (and this is recommended!) and the password will be requested without ever echoing it to the terminal.

The data directory has a hidden directory .cyphr in it.

dir(data_dir, all.files = TRUE, no.. = TRUE)
## [1] ".cyphr"   "iris.rds"

This does not actually need to be stored with the data but it makes sense to (there are workflows where data is stored remotely where storing this directory might make sense). This directory contains a number of files; one for each person who has access to the data.

dir(file.path(data_dir, ".cyphr"))
## [1] "51413595e153747977ef497bc5fc1504" "bc8f63d7cbd55f176e9a0bd393ac3d1d"
## [3] "test"
names(cyphr::data_admin_list_keys(data_dir))
## [1] "51413595e153747977ef497bc5fc1504" "bc8f63d7cbd55f176e9a0bd393ac3d1d"

(the file test is a small file encrypted with the data key used to verify everything is working OK).

Each file is stored in RDS format and is a list with elements:

h <- names(cyphr::data_admin_list_keys(data_dir))[[1]]
readRDS(file.path(data_dir, ".cyphr", h))
## $user
## [1] "rfitzjoh"
## 
## $host
## [1] "dyn3181-4.wlan.ic.ac.uk"
## 
## $date
## [1] "2019-03-22 11:43:44 GMT"
## 
## $pub
## [2048-bit rsa public key]
## md5: 51413595e153747977ef497bc5fc1504
## 
## $signature
##   [1] a8 84 54 c6 8e 6a c4 c6 fb 29 b9 9d 82 c0 bb 21 4c fd 37 61 14 07 58
##  [24] ab 29 82 4e 42 9b d1 1b 7f 13 8f 23 47 5a c5 f1 67 01 29 a8 96 b5 77
##  [47] de c9 e0 7b 6b 16 21 da 34 c0 d4 ac 2f aa ec 0e d2 d5 09 cb 2c 85 1f
##  [70] 20 df 24 2c f1 13 7e d2 98 90 bb fc 30 ce cb fb 4d 3c fc ac 82 51 a5
##  [93] a5 85 1c 7c 2a 5a 5d 1a d8 d9 ea 67 21 38 93 b7 fd ee d4 e6 c8 a0 a2
## [116] 96 4a e7 57 64 41 9a 12 76 00 af f8 70 43 da fd 31 8e 50 bd 34 8d 3e
## [139] 2c 75 4b 18 78 4e 68 46 7e f7 c0 a3 ae 7b ec b6 f2 be 86 6a d5 f7 54
## [162] 2f 76 65 39 2b 28 1a ea 3f 41 a1 f1 1a e5 eb ef f7 6a d8 40 2a c2 bb
## [185] 19 c6 4c c5 ca ba e8 46 89 75 ff 57 20 e8 62 b7 7d f8 4a 5e d2 15 38
## [208] 4b 1b 09 25 5b 5e 1f 06 fb ec 07 1c 09 0e ac f7 d5 1a 88 09 fc 8c cf
## [231] 53 64 ab bd 31 69 f6 84 7d fe 98 d8 52 0b e1 96 d7 96 54 2d 70 d0 48
## [254] 7b 49 39
## 
## $key
##   [1] 98 39 c8 2f 8b 6a 5b 2e 8b 92 48 15 41 0f c5 ae b7 43 5b ad 9e d8 68
##  [24] 56 04 3e 24 42 ca c9 7e d6 61 d5 7c 23 60 40 1f 24 51 98 73 a6 25 41
##  [47] b6 c5 c2 6b 58 16 69 54 d4 82 8e ad 94 32 6c 35 70 d1 72 5a 48 48 39
##  [70] 89 bd 22 84 a1 9b 17 21 bc 44 6a 95 4d df b6 71 f4 8c 96 a7 15 2a ba
##  [93] 0f 3c 6b f0 d4 dc 4d 44 16 74 ea f8 8e 5f 04 9a 0d bd 14 2f 96 7b c7
## [116] 8a 8a 4f 4d b3 92 3b f1 bf 34 8e f4 cb 8a 18 ef 6f 7f dd 56 bf 7b cd
## [139] 07 6d cc e8 d9 bd fa a9 73 ee 6b 3e d8 d9 8b 48 d8 42 e2 fb cc 6e fe
## [162] ef 3b 9c fc 8d ab 67 64 c8 1b 16 cb 8c 55 a7 ac 36 3e ab 33 7c 83 2b
## [185] f2 e4 41 b9 35 3e 8c 6f 79 28 c9 cd 2d a1 38 9d 10 fb 03 c3 44 12 67
## [208] e9 d9 78 d6 26 fa c5 12 ae 05 da 0f d0 65 a3 2c a6 1b ba eb fe ae fc
## [231] fa 12 34 3b 19 05 c8 b4 bd 8f 97 e5 0e 1d 39 84 4e 3b b0 f4 f7 ae 56
## [254] ec 7e 12

You can see that the hash of the public key is the same as name of the stored file here (which is used to prevent collisions when multiple people request access at the same time).

h
## [1] "51413595e153747977ef497bc5fc1504"

When a request is posted it is an RDS file with all of the above except for the key element, which is added during authorisation.

(Note that the verification relies on the package code not being attacked, and given R’s highly dynamic nature an attacker could easily swap out the definition for the verification function with something that always returns TRUE.)

When an authorised user creates the data_key object (which allows decryption of the data) secret will:

Limitations

In the Dropbox scenario, non-password protected keys will afford only limited protection. This is because even though the keys and data are stored separately on Dropbox, they will be in the same place on a local computer; if that computer is lost then the only thing preventing an attacker recovering the data is security through obscurity (the data would appear to be random junk but they will be able to run your analysis scripts as easily as you can). Password protected keys will improve this situation considerably as without a password the data cannot be recovered.

The data is not encrypted during a running R session. R allows arbitrary modification of code at runtime so this package provides no security from the point where the data can be decrypted. If your computer was compromised then stealing the data while you are running R should be assumed to be straightforward.