encryptionnginxon-the-fly

How to do on-the-fly decryption on nginx?


I store encrypted (AES 256) files on nginx. I open them by GET request and use a key as a query parameter. For examaple http://www.my_secure_nginx.com/files/secret_audio.mp3?key=mysecretkey
Can you please suggest solution how to do it for nginx file server (maybe existing filters) to maintain chunked responses. In another words I need to do on-the-fly decryption files on nginx.


Solution

  • The easiest way would be to write your own module for nginx in Lua. Lua-resty-string module already supports AES. Add some file handling code reading code and you are done. Lua modules are very quick as they work in non-blocking I/O.

    The important part to remember about is handling a padding - the original file size must be stored somewhere (DB, xattr etc) and passed to or read by nginx.

    Another non-trivial topic is eventual support of random access. Data must be AES encrypted in CTR mode for that. XTS, CBC, CFB are also fine but require a bit more development work.