Nowadays, many applications use cloud storage providers such as Amazon S3 or Microsoft Azure. These services are very convenient; however, they have not yet cracked the data protection issue as the responsibility for data security is thrown right back at their clients. Here is a list of their security offerings and their shortcomings:
Encryption in transit: it is the “S” in https, and means that the data is encrypted while it is in transit, yet is vulnerable as soon as it arrives on the server.
Encryption at rest: this means that the cloud storage provider encrypts the data on the hard drives on their storage servers. Whether the keys used for encryption are stored on their storage service or on your servers, the threat model is largely the same. You must trust the infrastructure that runs your servers and, if it gets compromised, an attacker will be able to dump all the encrypted data and the key to decrypt them.
These two techniques protect the data: between the client and the server and between the server and the storage server, but the data is still vulnerable as it is unprotected on the server itself.
Trust is a personal choice; your users shouldn't have to trust you for your good technical choices. An ideal solution should be able to protect your app from data leaks such that if someone gets access to your server, they will not be able to decrypt your users' data. This solution would relieve you from these trust issues while keeping all of the advantages provided by cloud service providers.
End-to-end encryption is a solution where the data is encrypted on the client and the encryption keys stay on the client’s devices. With this solution, your servers don't see any clear user data. As such, they will not be able to leak that user data if they ever get compromised.
The main issue becomes that only the device that has encrypted the data is able to decrypt it. So you will need to exchange securely the encryption keys between devices to allow a user to access their data on all devices, and to allow a user to share their data with other users. This is non-trivial as we cannot expect users to handle their keys themselves.
After a few years of building solutions to help developers secure data exchanges in their apps, we at Tanker designed a new product solving an array of common use cases with cloud storage providers. This product implements end-to-end encryption and solves the key exchange problem to keep the user experience pleasant while enabling you to:
Securely share files with individuals both inside and outside your organization. Files can be read only by the intended recipient. Allow secure collaboration on files in critical domains: medical, legal, journalistic, contractual etc.
Meet regulatory and policy requirements. Enhance trust by guaranteeing your customers’ privacy.
Focus on your business logic. It is straightforward and easy to implement and you won’t have to handle the cryptography at all.
FileKit is a secure cloud storage service that handles all cryptography and key exchanges seamlessly, letting you focus on what's important.
FileKit comes with the following features:
Upload, download and share files up 2GB
Use end-to-end encryption
Easy to integrate in your app
Builtin UI component for user’s identity verification
Here is an example of a file transfer application built with FileKit: https://tankerhq.github.io/filekit-tuto-app/.
PS: This article was originally written by Loïc Banet. It's been reproduced it here to give you a chance to see it in your notifications feed.