Hi all, We aim to be a partner and reseller of Storj’s services, we have an application in build phase, almost complete, with one big step to completion, which is zero knowledge encryption. We have setup encryption on our app from user to our hosted server, but my question is, how does one go ahead and encrypt the user’s data all the way to the folder in the Storj bucket? Currently we have one shared bucket, with a folder for every user, but we are obviously able to see the user’s data in our Storj account’s bucket. We need end to end encryption from the user, to the Storj folder in the bucket. Has anyone achieved this, or attempted this? Thank you for your attention
Bucket does not have a concept of folders, it’s all prefixes in the object names.
Storj bucket can contain object encrypted with different keys, and only the objects encrypted with the correct keys will be “visible”. So as long as user upload data with the keys they own – you or anyone else won’t be able to see them, albeit all being in the same bucket.
Out of curiosity, is it then still possible to remove these objects in case, let say, the user stops paying for the service?
Hi @arrogantrabbit ,thank you for your reply. So are you saying that they need to generate storj keys, through us as proxy?
Hello @isak,
Welcome to the forum!
Please take a look:
Yes, it’s possible, but you need to know the encrypted prefix in the bucket, so you will be able to delete it using uplink CLI.
For example the bucket is “my-bucket”, the prefix is “client1”, however, since it’s a part of the final object name, it will be encrypted by the client’s encryption key. But since you do not know their encryption phrase, you cannot see this prefix with your keys, however, if you know it’s name in the encrypted form - you can remove all data with that prefix.
To see prefixes in the encrypted form:
uplink ls --encrypted sj://my-bucket
e.g.:
$ uplink ls --encrypted sj://my-bucket
KIND CREATED SIZE KEY
OBJ 2025-01-28 09:40:26 3925 AhTyrXSKqizav_ZsWhUjgqp_D58kwIFSScIizaTkM6XbUJCaXAN4Cjor9m4Fhbk9
PRE AnDZ77VHxZkBAv1sdTxupVbR_HL8bQt3Nrj2n3PJ-NiEtxeKYFS0/
PRE AovpRoxlRaLwmO-ufS4CEwpX-qkuARNZB8TfHEDOzJN2LTag_Uyzhw==/
PRE Ar-L-cdEWL5p9X-vXN-18oapfW6KufZa2LE2BUw5zwjdiYdinA==/
PRE AvH5Jd5GJT6w9EZ2H8EI-m7km2LNaulkT7F_QjzWuvLtnQ==/
PRE AvnbPJ654d8Yuk4dEPQ_4wRltIkICOmijKRbjVy3PzV5I2B8r0u2he2iCW74YMsmWTDVKW9sVTKY4MXD5_zeMPU=/
So, you can remove all for the prefix AnDZ77VHxZkBAv1sdTxupVbR_HL8bQt3Nrj2n3PJ-NiEtxeKYFS0/ for example, e.g.:
uplink rm --encrypted --recursive sj://my-bucket/AnDZ77VHxZkBAv1sdTxupVbR_HL8bQt3Nrj2n3PJ-NiEtxeKYFS0/
And you also can implement an encryption replacement as in the example in my previous post, in that case the prefix would be visible for you, and since you provide everything else to the client - it can use it as a “folder”, and you will not see their data despite the visible prefix. But you can still delete this data in a similar way as above in encrypted form. The only problem is to store the encrypted prefix somewhere to be able to link it with the client. The simples way is to use an object with this information or store it as a metadata of the object in that bucket - so you will still be able to read it, because it’s encrypted with your keys, and the client will not be able to see it because they do not have your keys.
To store this relation as the object (I used a CSV format here, but you may use any convenient, like binary or even as a database, then use Object Mount to access it as a usual filesystem - need to test though):
echo -e "prefix,client\nAnDZ77VHxZkBAv1sdTxupVbR_HL8bQt3Nrj2n3PJ-NiEtxeKYFS0/,client1" | uplink cp - sj://my-bucket/client1.obj
To store this relation as the object’s metadata:
echo -e "prefix,client\nAnDZ77VHxZkBAv1sdTxupVbR_HL8bQt3Nrj2n3PJ-NiEtxeKYFS0/,client1" | uplink cp --metadata '{"prefix": "AnDZ77VHxZkBAv1sdTxupVbR_HL8bQt3Nrj2n3PJ-NiEtxeKYFS0/", "client": "client1"}' - sj://my-bucket/client1.obj
3 Likes