Seafile Storage Encryption Backend
Since Seafile Professional Server 5.1.3, we support storage enryption backend functionality. When enabled, all seafile objects (commit, fs, block) will be encrypted with AES 256 CBC algorithm, before writing them to the storage backend. Currently supported backends are: file system, Ceph, Swift and S3.
Note that all objects will be encrypted with the same global key/iv pair. The key/iv pair has to be generated by the system admin and stored safely. If the key/iv pair is lost, all data cannot be recovered.
Configure Storage Backend Encryption
Generate Key and IV
Go to ./seaf-gen-key.sh -h
. it will print the following usage information:
usage :
seaf-gen-key.sh
-p <file path to write key iv, default ./seaf-key.txt>
By default, the key/iv pair will be saved to a file named seaf-key.txt in the current directory. You can use ‘-p’ option to change the path.
Configure a freshly installed Seafile Server
Add the following configuration to seafile.conf:
[store_crypt]
key_path = <the key file path generated in previous section>
Now the encryption feature should be working.
Migrating Existing Seafile Server
If you have existing data in the Seafile server, you have to migrate/encrypt the existing data. You must stop Seafile server before migrating the data.
Create Directories for Encrypted Data
Create new configuration and data directories for the encrypted data.
cd seafile-server-latest
cp -r conf conf-enc
mkdir seafile-data-enc
cp -r seafile-data/library-template seafile-data-enc
# If you use SQLite database
cp seafile-data/seafile.db seafile-data-enc/
Edit Config Files
If you configured S3/Swift/Ceph backend, edit
Then add the following configuration to
[store_crypt]
key_path = <the key file path generated in previous section>
Migrate the Data
Go to
Run ./seaf-encrypt.sh -f ../conf-enc -e ../seafile-data-enc
,
Starting seaf-encrypt, please wait ...
[04/26/16 06:59:40] seaf-encrypt.c(444): Start to encrypt 57 block among 12 repo.
[04/26/16 06:59:40] seaf-encrypt.c(444): Start to encrypt 102 fs among 12 repo.
[04/26/16 06:59:41] seaf-encrypt.c(454): Success encrypt all fs.
[04/26/16 06:59:40] seaf-encrypt.c(444): Start to encrypt 66 commit among 12 repo.
[04/26/16 06:59:41] seaf-encrypt.c(454): Success encrypt all commit.
[04/26/16 06:59:41] seaf-encrypt.c(454): Success encrypt all block.
seaf-encrypt run done
Done.
If there are error messages after executing seaf-encrypt.sh, you can fix the problem and run the script again. Objects that have already been migrated will not be copied again.
Clean Up
Go to
mv conf conf-bak
mv seafile-data seafile-data-bak
mv conf-enc conf
mv seafile-data-enc seafile-data
Restart Seafile Server. If everything works okay, you can remove the backup directories.