This project implements a
- PKI -> Public Key infrastructure
- PKI-enabled file encryption and decryption system with automated directory monitoring and file sharing capabilities. The system is designed to facilitate secure file sharing, authentication, and encryption in a networked environment, using certificates issued by a Root CA and signed by an Intermediate CA.
-
PKI Framework:
- Root CA initializes the chain of trust and generates Intermediate CA credentials.
- Intermediate CA acts as the signing authority for host certificates.
-
Host Certificates:
- Hosts generate unique certificate signing requests (CSRs) and obtain signed certificates from the Intermediate CA.
- Signed certificates are installed with the Intermediate CA and Root CA certificates to complete the chain of trust.
-
File Encryption and Decryption:
- Encrypts files dynamically using public keys from a shared public key store.
- Decrypts encrypted files when accessed and re-encrypts them after closure.
-
File Sharing:
- Hosts can share files over the network using a lightweight file-sharing server.
- Includes support for file uploads and downloads within the same network.
- All files outside the
users@hostsdirectory belong to the Root CA.
-
Transfer the Root CA files to the server machine (Windows/Linux).
-
Install the required libraries:
python -m pip install -r requirements.txt
or simply:
pip install -r requirements.txt
-
Initialize the Root CA:
python AutoRootCA_PKI.py
This script generates the Root CA keys and sets up the Intermediate CA.
-
Start the Intermediate CA server:
python WIN-N55Q3T15CyEL4_server.py
- This starts a PKI server where hosts/users can connect to obtain, sign, or update their certificates.
- Host assets are located in the
users@hostsdirectory. - These files should be transferred to the user's computer for local operations.
-
Transfer the host files to the user's computer.
-
Install the required libraries:
python -m pip install -r requirements.txt
or simply:
pip install -r requirements.txt
-
Generate Certificates:
python AutoCertsGen.py
- This script generates the host's unique certificate and requests signing from the Intermediate CA.
- The Intermediate CA:
- Signs the certificate.
- Provides its own certificate and that of the Root CA.
- These certificates are installed locally, completing the chain of trust.
-
Verify Certificates:
- Once installed, the host verifies the authenticity of the Intermediate CA certificate.
-
Start the File Sharing Server:
gunicorn -c gunicorn.conf.py FileShareProServer:app
NOT RECOMMENDED but still works fine
python FileShareProServer.py
- This file is located in the
Appdirectory.
- This file is located in the
-
Configure the Server:
- Open the
.inifile and:- Set up folder-sharing options.
- Define the download location.
- Open the
-
Access the File Sharing Server:
- Members of the same network can:
- Access the server using its IP address.
- Download files directly.
- Upload files to the host.
- Members of the same network can:
-
Encrypt Files:
- Automatically encrypts files in the monitored directory.
- Uses the recipient's public key, fetched dynamically from the public key store.
-
Decrypt Files:
- Decrypts files when accessed, saving a temporary plaintext version.
- Opens the decrypted file using the system's default application.
- Re-encrypts the file after closure.
-
File Monitoring:
- Uses the
watchdoglibrary to monitor file creation and modification events.
- Uses the
- The public key store (
PUBLIC_KEY_STORE) contains public keys for all machines in the network. - Public keys are named after their respective machine identities (e.g.,
machine_name.pem).
Edit the following variables in the script as needed:
WATCHED_DIR:- Path to the monitored directory (e.g.,
/mnt/shared_folderor\\server_ip\shared_folder).
- Path to the monitored directory (e.g.,
PUBLIC_KEY_STORE:- Path to the directory containing public keys.
PRIVATE_KEY_PATH:- Path to the host's private key file.
ENCRYPTED_EXTENSION:- File extension for encrypted files (default:
.enc).
- File extension for encrypted files (default:
- Mount the shared folder:
- Unix/Linux:
sudo mount -t cifs -o username=<username>,password=<password> //<server>/<shared_folder> /mnt/shared_folder
- Windows:
net use X: \\<server>\<shared_folder> /user:<username> <password>
- Unix/Linux:
- Start monitoring:
python PKI_crypto.py monitor
- All activities are logged in
file_activity.log:- Encryption and decryption events.
- Errors and warnings.
2024-11-23 14:10:00 - INFO - Watching directory: /mnt/shared_folder
2024-11-23 14:12:01 - INFO - File encrypted: /mnt/shared_folder/document.txt.enc
2024-11-23 14:14:45 - INFO - Decrypted file saved temporarily at /tmp/document.txt
2024-11-23 14:15:12 - INFO - Temporary file /tmp/document.txt deleted securely.
2024-11-23 14:15:13 - INFO - File encrypted: /mnt/shared_folder/document.txt.enc
- Ensure the file doesn't already have the
.encextension. - Verify the public key exists in the
PUBLIC_KEY_STORE.
- Verify the chain of trust by checking the Root CA and Intermediate CA certificates.
- Ensure the Intermediate CA server is running and accessible.
- Check network connectivity and permissions.
- Ensure the shared folder is mounted properly.
-
Key Management:
- Automate updates to the public key store via an API or centralized server.
-
Access Control:
- Implement authentication for shared folder access.
- Restrict decryption based on roles.
-
File Integrity:
- Add digital signatures to verify file authenticity before decryption.
-
GUI:
- Develop a graphical interface for easier management of encryption and file sharing.
- [Wambua] – Project Lead