Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependent dbs #10

Open
calvinmetcalf opened this issue Mar 23, 2015 · 6 comments
Open

Dependent dbs #10

calvinmetcalf opened this issue Mar 23, 2015 · 6 comments

Comments

@calvinmetcalf
Copy link
Collaborator

When an index is created the new dependent db won't have the transform, E.g.if you use crypto pouch your query index is not encrypted
@nolanlawson
Copy link
Member

Yeah, that's a good point. If we encrypt it, though, then the index is almost useless because you can't iterate it (assuming we encrypt the keys).

The only case where I think this may make sense would be to encrypt the values but NOT the keys, but then we'd need to trust the user to know that their keys will be unencrypted. Else we could let them encrypt the keys, but with the knowledge that their keys won't be ordered anymore.

Personally I've never used values much, so for me I would just make an index on a key that doesn't need to be encrypted and then use include_docs: true when I read from it.

@calvinmetcalf
Copy link
Collaborator Author

That is a good point, currently crypto pouch does only encrypt values not
keys, I might end up having to do something weird like make a memdown
pouch, serialize it and encrypt that.

On Mon, Mar 23, 2015, 8:42 AM Nolan Lawson [email protected] wrote:

Yeah, that's a good point. If we encrypt it, though, then the index is
almost useless because you can't iterate it (assuming we encrypt the keys).

The only case where I think this may make sense would be to encrypt the
values but NOT the keys, but then we'd need to trust the user to know that
their keys will be unencrypted. Else we could let them encrypt the keys,
but with the knowledge that their keys won't be ordered anymore.

Personally I've never used values much, so for me I would just make an
index on a key that doesn't need to be encrypted and then use include_docs:
true when I read from it.


Reply to this email directly or view it on GitHub
#10 (comment)
.

@ermouth
Copy link

ermouth commented Mar 23, 2015

cloudwall.me implements encryption of underlying Pouch docs as per-doc option. Approach I used was:

  • user has a list of encryption keys in his profile, key is a pair [keyName, keyValue] and can be shared
  • to encrypt doc user saves it with property crypto set to keyName
  • cloudwall encrypts doc as follows:
    • some properties kept untouched (like _id,_rev,_attachments, type, name, creator, stamp, crypto)
    • all other properties are stripped from the doc
    • new property CRYPTO is created, it‘s base64 SSL-encrypted json of properties stripped
    • attaches are not encrypted (performance considerations)
  • cloudwall decrypts doc on read if user has cryptokey installed.

Reason for these complex policy is rather simple – docs in db contain not only data, but some kind of metainfo over data.

So what I want to say – some meta better kept readable for views and end users.

@calvinmetcalf
Copy link
Collaborator Author

So that is roughly how crypto pouch works, the issue is that when used with
dependent dbs the doc ids leak data about the contents of documents in the
parent database

On Mon, Mar 23, 2015, 11:31 AM ermouth [email protected] wrote:

cloudwall.me implements encryption of underlying Pouch docs as per-doc
option. Approach I used was:

  • user has a list of encryption in his profile, key is a pair
    [keyName, keyValue] and can be shared
  • to encrypt doc user saves it with property crypto set to keyName
  • cloudwall encrypts doc as follows:
    • some properties kept untouched (like _id,_rev,_attachments, type,
      name, creator, stamp)
    • all other properties are stripped from the doc
    • new property CRYPTO is created, it‘s base64 SSL-encrypted json of
      properties stripped
      • cloudwall decrypts doc on read if user has cryptokey installed.

Reason for these complex policy is rather simple – docs in db contain not
only data, but some kind of metainfo over data.

So what I want to say – some meta better kept readable for views and end
users.


Reply to this email directly or view it on GitHub
#10 (comment)
.

@nolanlawson
Copy link
Member

presumably you could just call whatever transforms you want inside of your map function, no? Maybe less than ideal because it's a potential footgun, but it would definitely work.

@ermouth
Copy link

ermouth commented Mar 23, 2015

dependent dbs the doc ids leak data about the contents of documents

To avoid leak map fns by default better see ecrypted doc, not decrypted one. There can exist config param, that can allow some views to run over decrypted doc, but as for me default behavior better be compatible with CouchDB – map see data, stored in DB.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nolanlawson @calvinmetcalf @ermouth