I was initially going to ask this question on my twitter account, but it’s a bit longer than I can get into 140 characters.
Unrelated to my project management software, I’ve been wondering about securely storing files in systems like Amazon’s S3. It seems like a great way to store files that you want to keep for your application but don’t need instant access to, but there’s trust issues. It’s not that I think Amazon are untrustworthy, but it’s my (or my customer’s) data in someone else’s hands. That makes me nervous.
The obvious answer is encryption, but it’s not an area I’ve terribly much background in and there’s always that fear of doing something silly and obvious which introduces gaping security holes.
Like, for example, using the SHA-1 hash of a file as its AES-256 key. I’d need to store the hash anyway to ensure that the file wasn’t mangled by Amazon (or the encryption/decryption process), and it’s quite long, so why not use it as the key?
I can’t think of anything obvious – you can’t derive that hash from the encrypted file and if you have the unencrypted file to generate the hash then you don’t actually need to decrypt anything.
But in my crypto inexperience I might be missing something. Am I?
Post a Comment