Krypté - A database encryption service w/ multiple user support.
use App::Krypte;
my $app = App::Krypte->new(
dsn => 'dbi:mysql:dbname',
db_username => 'alice',
db_password => 'secretz',
);
I am not a security expert. So use with caution.
If you see a flaw, PLEASE submit an issue or better yet submit a PR with the reason why your change is better and more secure.
Krypté is a service that provides a simple API to developers so they don't have to worry about how they encrypt their data. Instead they send it off to Krypté and it's taken care of.
Krypté's method of encrypting data and managing multiple users looks like this:
- One random master key ( or
share_key
) is created. - A random user key is created and used to encrypt the master key.
- The user key is encrypted with a password for that user.
- The encrypted user key and master key are stored for that user in the database.
- Krypté receives credentials and a chunk of data.
- The credentials are validated.
- The shared key is retrieved.
- If the credentials are a username and password, the encrypted user key stored for the username is unencrypted using the password.
- The user key is then used to unencrypt the shared key.
- The shared key is used to encrypt the data using Crypt::CBC with the Blowfish cipher.
- The encrypted result is stored with a sha1 key of the data.
- The key is returned to the initial requester as a key for the data.
Creates or overrides the user hash with the given info
Using a valid admin user, remove the given user
$self-
new_user> is a function to create a new user and all the related keys.
find_user
will search for the given user name and resolved the returned promise with a hash of the users information.
Given a user and password or given a token, get_shared_key will return the unencrypted shared key for the system.
Be careful to handle the shared key with care. It should never be left anywhere (memory or disk) unencrypted.
create_session
will create a temporary session for the given user
and password. It returns the session token which can be used by the
application to unencrypt all future traffic. It will also setup an
automatic timer to kill the session based on a hard coded value.
end_session
will completely remove a given session token from memory. If this isn't called by the client, it will be automatically called after a hardcoded timeout period. end_session
takes the unpacked for of the token as the session_token
parameter.
validate_credentials
will return a promise which will return a boolean
based on whether the provided credentials are valid or not. User and
password is only validated by checking to see if the user exists in the
current hash.
put_data
will take data and credentials to store the data encrypted into the database
get_data
will return the data from the db given valid credentials.
dbh
return database handler based on the app's config. If the
connection has already been created, return that instead.
Sean Zellmer sean@lejeunerenard.com
Copyright 2015 - Sean Zellmer
This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.