GSoC 17 : Client Side File Encryption : Week 5

Note: This is a repost of the original Blog post during GSoC ’17. As my AWS instance went down, I’ve been migrating my old blog posts here.
Originally posted on: 12th July 2017

This blog post summarises my fifth week of working with Google Summer of Code 2017 with Drupal.

Sandbox to implement the file encryption

This week I created a sandbox page in the router to test standalone file encryption. It utilised the HTML5 FileReading API to get the contents of the selected file that needs to be encrypted.

var reader = new FileReader();

An alternative would be:

var reader = new FileReaderSync();

But again this API is only supported in the newer browsers that support HTML5. The HTML5 LocalStorage API also has similar limitations.

reader.readAsText(filename,’encoding-type’) would then open and read the contents of that file.

var encrypted = CryptoJS.AES.encrypt(, password);

WIll then store the ciphertext of the contents if the file in the encrypted variable. This operation uses the cryptoJS library.

It can also be stored as a Binary Large Object (BLOB) using

var blob = new Blob([ciphertext], { type: ‘text/plain’ });

Changing trigger for Group Key generation

According to the initial architecture as proposed in the Project proposal, the Group Access keys (AES-256 keys) that were to be used to encrypt/decrypt the files were going to be generated on the admin’s browser on module installation/new group creation but as pointed out by Adam (nerdstein) in the architecture document review, if all group keys for all roles are being generated by the admin, the very purpose of the zero-knowledge nature of the architecture is defied as all the keys are now accessible by one central system administrator.
Now the group keys will be generated by the members of that role. The JS methods responsible for generating these keys will be triggered upon the first login by user from each role on the post login hook. To accomplish this, a new REST resource was created named “groupKeys”. A GET request to the same would return a JSON object all the roles where the group access key has not been generated yet of which the current user is involved in.

The JS libraries to go with

Toward the beginning of the project I had listed an array of available JS libraries that can be used for the various crypto requirements of the project. After coming across various implementations of such cryptosystems and considering the limitations, the ones that are being used in the module are:

Now that I have sandbox file encryption where I’m able to generate the ciphertext for a given file, I will be working to implement it and embed the JS into the form field where files are uploaded. I will be looking into and altering the default file upload method, overriding it and sending that file after encryption instead of the file as cleartext.