stash is a private dropbox.
If you want someone to be able to upload files from their browser directly onto your computer at home, install stash once, and allow dedicated access to your friends to share files with you. Maybe your dad wants to send you the video from the family event, or a colleague a huge database, stash might be the right thing. If you run stash on a server on the internet, your uploads are encrypted and only accessible with your secret PGP key. There’s a short time when the file is unencrypted in memory (but not on disk!) on your server while uploading, but you can get around that uploading stuff that is already encrypted.
where’s the screenshots? here: screenshots/
stash should be easy to use for uploaders, while providing the following attributes:
- Allow upload of huge files (I know, it’s HTTP, still).
- The only private information retained is the public PGP keys of the stash owners. No passwords even. Just make an extra PGP key and email for an added anon factor.
- Uploaded files are automatically encrypted with the stash owners key. This can be disabled, if you want to upload data that is already encrypted.
- Stash owners are automatically emailed to the email address listed in their public key about new uploads. These emails are also PGP encrypted.
- User authentication is done using tlsauth: uploaders do not need a cert, new stash owners registering either, but all other parts require valid certs.
- Stash IDs are generated randomly and should be hard to guess, this the only protection - tlsauth does not protect these upload forms - this is intentional to make it useful for “mom”. however you can also specify your own human parseable stash ID if needed, tlsauth should be mandatory then for uploads as well.
- Even though stash uses certificates for authentication, the user management is very simple and similar to normal user admin workflows, the only difference is that users have to import their cert into their browser after certification.
If you are of the adventurous type you might want to try out the automatic and never-before tested install.sh, which does all - except the last two: “import” and “done” - these below automagically. Otherwise you’ll be setting up an onion service, nginx, a CA and related certificates, importing some of them into browsers and also configuring the stash.
tlsauth, nginx
Setup a tor hidden service
If you don’t need a hidden service (why not? - it’s nice to go behind NAT), then you can skip this, but the install script does it anyway.
Create this hidden service in your /etc/tor/torrc file:
sudo cat >>/etc/tor/torrc <<EOT
HiddenServiceDir /var/lib/tor/stash/
HiddenServicePort 443 127.0.0.1:23443
HiddenServicePort 80 127.0.0.1:23080
EOTthen restart tor and get the hostname:
sudo /etc/init.d/tor restart
sudo cat /var/lib/tor/stash/hostnameremember this hostname and use it in all later steps.
git clone https://github.com/stef/stash
cd stash
pip install -r requirements.txtAfter also installing the necessary dependencies, we can
…for signing the https server certificate and the subCA.
./tlsauth.py CA createca http://<hostname>/crl.pem "<hostname> CA" email1@<hostname>…for the client auth keys
./tlsauth.py subCA createca http://<hostname>/client-crl.pem "<hostname> client CA" email@<hostname> CA./tlsauth.py CA newcsr <hostname> root@<hostname> >CA/server.key./tlsauth.py CA sign <CA/server.key >CA/public/server.pemIt is important to remove and store the root CA private key in a safe offline location, as it can be used to mount a MITM attack against all users, who trust this key. You need this key in 1 year, when you need to renew your client CA certificate (per default it’s only valid for one year!)
mv root-ca/private/root.key <private and save location>Adapt the path “/var/run/stash” and the hostname in stash.nginx.conf, then
cp stash.nginx.conf /etc/nginx/sites-available/stash
ln -s /etc/nginx/sites-available/stash /etc/nginx/sites-enabled/
/etc/init.d/nginx restartThis step is like setting up the admin account on other systems:
./tlsauth.py subCA newcsr joe joe@localhost >joe.key
./tlsauth.py subCA sign <joe.key >joe.cert
./tlsauth.py root-ca p12 joe.key <joe.cert >joe.p12Store the files ending in .key and .cert in some safe offline storage.
edit cfg.py and set:
- ‘sender’ to some email address for the origin of mails sent by stash
- ‘admins’ is a list of emails, that when presented a certificate with an email in this list, the user will have admin privileges.
- ‘secret’ to some long random string
- ‘root’ to some path which will serve as root for all file operations.
- ‘ca’ to the directory containing your CA files under ‘root’
- ‘notify’ to False if you don’t want any notifications being sent out after uploads.
uwsgi --socket 127.0.0.1:23023 --chdir $PWD --pp $PWD/.. -w stash -p 1 --py-auto-reload 1Open in your favorite browser the following url: http://<hostname>/cert.pem
Which should offer you to automatically import the CA root certificate into your browsers, and it also asks you what you want to trust it, allow your browser to trust this CA with servers and user, but not software.
Also download and import the .p12 certificate generated in “Create your own client Certificate” into your browser.
visit:
- To create a new stash: https://<hostname>/settings/newstash
- to list stashes: https://<hostname>/settings/stashes
- to list user access requests: https://<hostname>/settings/requests
Your friends can now request access to your stash by going to: https://<hostname>/settings/register
However this generates the certificate in your browser, and if you - as I - do not trust your browser, you might want to generate your keys and certs offline in a more controlled environment and upload your CSR here: https://<hostname>/settings/request
Also my firefox did not store the generated key in the keystore, so i had to use a proper CSR anyway.