Skip to main content

cloudCrypt Setup

Content The Pi Soft CloudCrypt is a collection of end-user and developer tools and libraries for encrypting data destined for networked or cloud storage. Data is encrypted and decrypted as it transferred to and from storage using the Pi Soft Java Cryptography Extension. Currently, CloudCrypt Connectors exist for Amazon Web Services S3, Microsoft Azure, Dropbox, and for private networked storage. cloudCrypt is a library with container-provided (passive) thread management, connectors with file I/O and stream I/O interfaces. The End User Edition includes a Command Line Utility.  The utility can encrypt or decrypt while copying files to or from the supported cloud storage.  The Platform Edition can be used with Pi Soft JCE to add cryptographic capabilities to applications which transfer data (files or streaming) to the supported cloud storage or private networked storage. Artifacts - Pi Soft cloudCrypt:  cloudCrypt-version.jar - Pi Soft JCE:  ErucesOnlineJce-version.jar - Pi Soft JCE library files:  liberucesjce.so and erucesjce.dll - Tricryption Agent:  TEAdmin-version.jar - Pi Soft Kerberos library:  KerberosContext.dll Other Java libraries:  lib folder - aws-java-sdk-1.8.9.1.jar - for AWS S3 - azure-storage-1.3.1.jar - for Microsoft Azure - dropbox-core-sdk-1.7.7.jar - for Dropbox - commons-cli-1.2.jar - commons-codec-1.6.jar - commons-logging-1.1.3.jar - httpclient-4.3.3.jar - httpcore-4.3.2.jar - jackson-annotations-2.3.3.jar - jackson-core-2.3.3.jar - jackson-databind-2.3.3.jar - joda-time-2.4.jar Other - Settings.ini (for End User Edition) - cloudCrypt.bat (for End User Edition) PrerequisitesPi SoftKey Service Pi Soft kS Versions Supported:  cloudCrypt is supported by the Pi Soft kS version 6.7.3 - 6.10.0.  Please use the appropriate TEAdmin.jar for the version of Pi Soft kS you are using.  For version 6.7.3 - 6.7.6 use TEAdmin-6.7.6.1.jar.  The other jars are currently 6.10.0.  The algorithm used will be the default algorithm as specified in the kS Manager.  The default algorithm must be AES (128, 192, or 256). kS Authentication and Authorization Directly within cloudCrypt users may be authenticated using a PKCS12 certificate or Pi Soft native credentials.  Using the Pi Soft JCE or when using the cloudCrypt command line utility, users may be authenticated by native credentials or a PKCS12 certificate.  Lastly, any authentication method can be used to create an Pi Soft token which can then be provided when using the cloudCrypt CLI utility or the Pi Soft JCE. Users must have the Encryptor and Exchanger Roles to encrypt and decrypt using the cloudCrypt classes. Audit Logging Authentication and authorization are logged in the primary Audit Log table:  te_AuditLogEx.  Creating keys and exporting keys are also logged as these operations take place within the key service.  The cryptographic operations are outside the key service, however, the te_EventLog table is used to record the cloudCrypt input and output uris and associated T-Tag.  (te_EventLog is also available for use to record operations made by other developed applications.) Java The Java Runtime Environment must be Eclipse Temurin 8 (baseline jdk8u492-b09) or later, and must support TLS 1.3.  The JRE must also be a 64 bit version and not 32 bit running as 64.  In Windows, 32 bit Java running as 64 bit is located in the C:\Program Files (x86)\ folder.  The 64 bit version of Java is located in the C:\Program Files\ folder. Current Temurin JDKs ship with the unlimited-strength cryptographic policy enabled by default; no separate JCE policy files are required.

Usage

Pi Soft kS

Information about the Pi Soft key service must be available and set as Properties.

  • The key service host, either IP or FQDN.  For example “10.60.2.34”
  • The port to use.  The default port for SSL/TLS connections is 8888.

Pi Soft authentication information must be available and set as Properties.  The authentication method dictates the information set.

  • setCertErucesCredentials requires a path to a PKCS12 file and the password.
  • setNativeErucesCredentials requires a native Pi Soft user name and password.

Lastly, an Access Control List Template name can be passed.  This creates the Access Control List associated with either the file or the bucket key.

  • setAclTemplate is the ACL Template name. For example “Group B Template”

AWS S3 Connector

The following information from AWS must be available and passed or set as Properties as appropriate.

  • s3.Site is the Amazon Web Service S3 url. For example "s3.amazonaws.com"
  • s3.AccessKey is your AWS access key ID.  For example "AKIAIISACARN4BXXMRVA”
  • s3.SecretKey is your AWS secret key.  For example "fYjpNNDrgC6LuEBij57+bVF841Yx2GJqMme0FOW8 "
  • s3.BucketPolicy is the AWS policy which stores information about the key to use for a particular S3 bucket.  The default policy is used unless disablePolicy is specifically called.  See below for more information about bucket policies.

Optionally, an AWS session token can be passed too.

  • S3.SessionToken.
AWS S3 Bucket Policy

The AWS S3 bucket policy can also be used.  The S3 policy is used when a single key is to be used for an entire S3 bucket.

In order to use a single bucket key, all users must have the following AWS bucket access permission:  s3:GetBucketPolicy

The user who creates the key and corresponding T-Tag must have the following AWS bucket access permission:  s3:PutBucketPolicy

The first time a file is uploaded into an S3 bucket, the corresponding T-tag is saved into bucket policy. An AWS administrator can also manually add this policy instead.

When a T-tag is presented in the named bucket policy, all encryption uploads will try to use the same T-Tag.  Authorization for use of the key is called before file transfer begins to ensure the current user is authorized to export the key.

To export the key, the user or a Group to which the user belongs must be listed on the ACL with read and write permissions.  To ensure the user or Group is listed on the ACL with read and write permissions, the ACL Template named when creating the T-Tag must list the user or Group with ACL (not ACL Template) read and write permissions.

Users who are listed on the ACL for files within an AWS S3 bucket will be able to decrypt items using Pi Soft utilities or through Secure Folders provided an authorized user copies the encrypted file to the local file system.

Below is an example of the AWS S3 bucket policy after it has been populated with the T-Tag.

To not use the S3 bucket key policy, change the Setting.ini file so S3.BucketPolicy=disabled when using the CryptMP CLI utility or use the disablePolicy method.

{ "Version": "2012-10-17",
"Statement": [
{
"Sid": "ERUCES.TTag:U/0AyM4d2va8P17VSEvgZl08OjX+SNEclpy6bzsYGtbW84FEsjvUpw==",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::forthreadtest",
"Condition": {
"IpAddress": {
"aws:SourceIp": "0.0.0.0"
}
}
}
]
}

Dropbox Connector

The following information from Dropbox must be available and set as Properties as appropriate.

  • dbx.Token is the Dropbox access token.
  • dbx.Application is your Dropbox application name

Microsoft Azure Connector

The following information from Azure must be available and set as Properties as appropriate.