File: README.md

package info (click to toggle)
opaque-store 0.2.0-3
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 404 kB
  • sloc: python: 599; ansic: 23; makefile: 16
file content (106 lines) | stat: -rw-r--r-- 3,101 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
 
# OPAQUE-Store server

OPAQUE-Store is a simple protocol that allows anyone to store
encrypted blobs of information online, with only a password needed to
retrieve the information. As the name implies it uses the OPAQUE
protocol to do so. OPAQUE-Store uses the `export_key` feature of
OPAQUE to encrypt the data that is stored on the OPAQUE-Storage
server.

# Dependencies

you need to install

 - libsodium
 - liboprf https://github.com/stef/liboprf/
 - libopaque https://github.com/stef/libopaque/

on debian (unstable) you can install the -dev packages.

# Building

You need zig 0.13 at least to build, simply do

  `zig build`

# Configuring

Configuration will be looked for in the following order

  - /etc/opaque-stored/config
  - ~/.config/opaque-stored/config
  - ~/.opaque-storedrc
  - ./opaque-stored.cfg

For an example file see the file `opaque-stored.cfg` in this directory.

The most important is to have a proper SSL certificate, in the times of Let's
Encrypt this should not be a big challenge. You do need a domain name you
control for this though, but that is a requirement for public servers
anyway. If you have a domain name, you can run on that host something like
this:

```sh
sudo certbot certonly --standalone --preferred-challenges http -d example.com
```

If you run a server that is publicly available on the internet, we recommend to
run it on port 443, which - if you ever go to a restricted network environmet -
has the biggest chances that a firewall will allow to access this.

## Configuration Example

The following is a basic configuration example for a server.

```
[server]
# the ipv4 address the server is listening on
#address="127.0.0.1"

# ssl key
ssl_key="server.der"

# ssl cert
ssl_cert="cert.pem"

# the port on which the server is listening, use 443 if available, so that
# the server can be accessed from behind tight firewalls, default: 8080
port=2523

# tcp connection timeouts, increase in case you have bad networks, with the
# caveat that this might lead to easier resource exhaustion - blocking all
# workers.
#timeout=3

# the root directory where all data is stored, default: /var/lib/opaque-stored
datadir="data"

# how many worker processes can run in parallel
# max_kids=5

# whether to produce some output
verbose=true

# key
record_salt="some random string to salt the record ids"

# Especially if you run a public server you want to limit the maximum size of
# stored blobs
max_blob_size=8192

# lock a record after this many failed password attempts.
max_fails=3

# a file containing the long-term signing key of the server - this is only
# needed for participation in threshold setups. Can be generated by running the
# client with parameter: "opaquestore genltsigkey >ltsigkey.key"
ltsigkey="ltsigkey.key"

# set how long a message is considered fresh during a DKG protocol, any
# messages that have timestamps that are older than this many seconds will
# abort the DKG protocol. Increase this value if you have/expect laggy links.
ts_epsilon=600

# the number of recovery tokens a server holds for each blob
max_recovery_tokens=5
```