Implementing Client-Side File Encryption for an Enterprise Document Management Platform
Helevä, Salle (2023)
2023
Tietotekniikan DI-ohjelma - Master's Programme in Information Technology
Informaatioteknologian ja viestinnän tiedekunta - Faculty of Information Technology and Communication Sciences
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Hyväksymispäivämäärä
2023-03-30
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tuni-202303072795
https://urn.fi/URN:NBN:fi:tuni-202303072795
Tiivistelmä
M-Files is a document management platform used by enterprise customers. Customers may wish to use M-Files for sensitive documents, the confidentiality of which cannot be trusted with third parties. To this end, a system should be implemented that enables a customer to use M-Files for managing such documents, without requiring trust in the security capabilities of M-Files. This thesis examines how client-side file encryption can be implemented for M-Files. This thesis proposes the M-Files Confidential Document System (MFCDS), a client-side file encryption system. A customer of M-Files can use the MFCDS to create confidential documents, that are encrypted on the client side with keys owned by the customer. The system is integrated as part of the web client of M-Files, using browser-based technology.
An implementation plan for the MFCDS system is presented. Hybrid encryption is used to enable users to share access to encrypted files using public key cryptography. More efficient symmetric cryptography is used for encrypting files. User keys are stored in a remote key management system, owned by the customer. The key management system is accessed via a web API, that implements a simple protocol for key management. The protocol enables envelope encryption and public key infrastructure with user keys.
The proposed implementation plan is followed to its completion, and a proof of concept is implemented. The protocol of the key management API is defined and the API is implemented as a cloud application on the Azure cloud computing platform. The client-side implementation entails changes to the web client of M-Files. The built-in browser-based cryptography module Web Crypto is used for cryptographic algorithms on the client side. A simple user interface is implemented to demonstrate the system in practice.
The efficiency of the implementation is evaluated with performance tests. It is found that the implementation provides good performance for files of a moderately large size. The performance was also found to scale well when the system is used to share encrypted files with hundreds of users.
An implementation plan for the MFCDS system is presented. Hybrid encryption is used to enable users to share access to encrypted files using public key cryptography. More efficient symmetric cryptography is used for encrypting files. User keys are stored in a remote key management system, owned by the customer. The key management system is accessed via a web API, that implements a simple protocol for key management. The protocol enables envelope encryption and public key infrastructure with user keys.
The proposed implementation plan is followed to its completion, and a proof of concept is implemented. The protocol of the key management API is defined and the API is implemented as a cloud application on the Azure cloud computing platform. The client-side implementation entails changes to the web client of M-Files. The built-in browser-based cryptography module Web Crypto is used for cryptographic algorithms on the client side. A simple user interface is implemented to demonstrate the system in practice.
The efficiency of the implementation is evaluated with performance tests. It is found that the implementation provides good performance for files of a moderately large size. The performance was also found to scale well when the system is used to share encrypted files with hundreds of users.