Simple encrypted storage for images & videos.
- AES256CBC encrypted storage (not E2E encryption)
- Primitive UI, Upload batches, Download from URL
- Multiple separated repositories
- Search by tags
- dotnet-sdk-5.0
- nodejs
- npm
- yarn
- node
- git
- nginx
- CentOS8 (Anything with SystemD should suffice)
- Install all required deps
- Configure Nginx (See snipped below, the "include" is copied to place by "deploy.sh" later)
- Choose long-term working folder for deploys, e.g. /root (will be reused for deploys)
- Pull sources from this repo
- run "sh deploy.sh" (It generates appsettings.Prod.json, write down or provide your own "AdminKey", needed for Repository creation, can be any string)
- CONFIGURE TLS! With certbot or your own method. Without TLS its all pointless...
server {
listen 80;
server_name "my-server.com" "www.my-server.com";
include /etc/nginx/memzvault.nginx.conf;
}App should be up and running. To update deployment to never version just pull the repo & run "sh deploy.sh" again. It will not regenerate the production config, so your keys will stay.
After deployment, don't delete the pulled sources, if you delete appsettings.Production.json it will be regenerated with different keys (ServerKey & AdminKey are not used for data encryption so you will not loose your data even if you regenerate it).
crontab -e for certbot cert reload (If you use certbot)
0 0 * * 0 root /usr/bin/certbot renew --post-hook "/usr/sbin/nginx -s reload"
Repository contains manifest json file called "repository.json" which contains repository encryption key encrypted by passphrase. Then every file has ".data file" and ".meta file". Meta contains some metedata about file along with unique IV for data file encryption.
If repository key or passphrase is lost, then all data are undecipherable.
Repository key is encrypted by function:
EncryptedRepositoryKey = AES256CBC_encrypt(PlainRepositoryKey, RandomIV, Passphrase)File data themselves are encrypted by function:
EncryptedData = AES256CBC_encrypt(PlainData, IVMeta, RepositoryKey)Simplified crypto flow for retrieving encrypted image for authenticated user:
// decrypt passphrase by server key
encPassphrase = GetEncryptedPassphraseFromToken()
passphrase = Decrypt(encPassphrase, ServerKey)
// decrypt repository key by passphrase
encRepositoryKey = GetEncryptedRepositoryKey(GetRepositoryNameFromToken())
repositoryKey = Decrypt(encRepositoryKey, passphrase)
// decrypt meta by repository key
encMeta = GetFileMetadata()
meta = Decrypt(encMeta, repositoryKey)
// decrypt data by repository key
encData = GetFileData()
data = Decrypt(encData, meta.IV, repositoryKey)There are no users, just repositories with passphrases which are used to log in to UI. Server issues JWT token for session that contains repository name (plain) and passphrase (encrypted by ServerKey). This token gives full access to repository.
- Lost ServerKey - Just JWT tokens are invalidated, data are OK, just put new one to appsettings.Production.json
- Lost AdminKey - Can't create new repos, data are OK, just put new one to appsettings.Production.json
- Lost Repository Passphrase - Your data are lost, undecryptable. There is not backup or recovery. nelson_haw_haw.png