andygeers / firebase-keysafe Goto Github PK
View Code? Open in Web Editor NEWA backend service to aid in encrypting a Firebase database by securely storing user's data encryption keys.
License: MIT License
A backend service to aid in encrypting a Firebase database by securely storing user's data encryption keys.
License: MIT License
Hi,
I just followed the instructions but I am getting the error:
ImportError: No module named oauth2client.client
I have already tried suggestions from SO posts like:
but no luck...
Can you share exactly what versions of packages (and python) are you using ?
Thanks!
I'm having issues testing the script locally. I am able to run the development app server on my local machine, however when I make a request, I am getting an error. Any suggestions on how to fix/debug this issue? I've redacted some information using .
POST /key?key=<KMS_API_KEY> HTTP/1.1
Authorization: Bearer <INSERTED USER OAUTH TOKEN HERE>
Host: localhost:61668
Connection: close
User-Agent: Paw/3.1.8 (Macintosh; OS X/10.14.4) GCDHTTPRequest
Content-Length: 0
Error
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: close
Date: Sat, 15 Jun 2019 00:09:07 GMT
Server: Nathans-MacBook-Pro.local
�»�cexceptions
RuntimeError
p0
(S"ProtocolBufferDecodeError('Required field: service_name not set.\\n\\tRequired field: method not set.\\n\\tRequired field: request not set.',)"
p1
tp2
Rp3
Just having a dig around this project, after reading your interesting blog post.
I noticed this code in main.py
:
def generate_random_key(self):
password = b"<USE_A_SECURE_RANDOM_PASSWORD_HERE>"
salt = os.urandom(16)
iterations = 20000
key_len = 16
raw_key = hashlib.pbkdf2_hmac('sha1', password, salt, iterations, key_len)
ascii_key = self.line_ending_stripper.sub("", base64.b64encode(raw_key).decode('ascii'))
return ascii_key
PBKDF2 should be used when turning a user-supplied password into a key of a suitable length.
If you want to generate a random key, just use os.urandom(16)
(or whatever length you need). It is more secure.
I was reviewing your blogpost and the source code for this project because I am currently interested in implementing something similar.
From my understanding, the reason for implementing this project in this way is to make it so 2 different google accounts would need to be compromised in order for any individual's user data to be accessible. However, if someone got Admin access to just the firebase account, couldn't they then just use the firebase admin SDK to create a custom auth token for the user, submit that to google app engine and grab the decrypted encryption key plus any of the encrypted data on firebase?
Just want to see if I am missing something?
I have question regarding your blog post, whether we have store to the KMS key in client side to encrypt and decrypt the DEK or we will fetch this KMS key from server and perform the operation on client side.
I found this repository via your article at http://www.geero.net/2017/05/how-to-encrypt-a-google-firebase-realtime-database/ which helped me a lot in trying to understand the architecture for an app with similar requirements I am currently designing. Thanks you for writing this up.
There is one question I would have still though that I am struggling with when transferring these concepts to a non-Firebase / Google Cloud world: considering that the KMS service lives in a different account than the database, how would this make sure an attacker who gains access to the account that the database belongs to does not gain access to also calling the KMS service (i.e. calling GET '/decrypt?value=<encrypted_key>
)?
Is authentication against the KMS service being handled by some Firebase feature that I am not aware of in this setup? In case yes, how could one build a similar setup without it?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.