Scheme for Encrypting Personal Data in the Cloud

Cory at Boing Boing links to an open source project for encrypting your data in the cloud in a way that a service cannot access it. The user’s password is used as the decryption key which would work better than you’d imagine. Most legitimate services don’t actually store your password, rather they store a digest with which they can confirm your correct password with a high degree of confidence without having to know the password. This is web application security 101 since it not only helps protect in the event of a data leak but also helps reduce the operators liability.

The system seems to be based on OpenPGP so builds on known, proven technology. In digging through the project sources quickly, it actually uses Bouncy Castle, a set of libraries with which I have some experience and can say they are pretty good.

When the user is logged out, the explicit removal of their password re-encrypts the data. There is also apparently some consideration given to shared secrets, conceding that much data you put online is for the express purpose of sharing.

If you are curious, the code is available on github and is made available under a generous MIT license.

Leave a Reply

Your email address will not be published. Required fields are marked *