Drop Zone Overview

Drop-Zone is the HomeDock OS fully encrypted cloud file storage system. It is designed with a strong emphasis on security, ensuring that each user can only access their own files through a robust AES-256 CBC encryption mechanism with individually derived keys for each user.

How Easy Is It to Use?

Adding files to Drop Zone is incredibly simple. Just drag, drop, and wait—your files will be securely encrypted and stored automatically. There’s no need for complex configurations or manual encryption. HomeDock OS takes care of everything behind the scenes.

For example, let’s take a simple text file:

Original Content (My_Super_Secret_Story.txt):

He opened his eyes, remembered to breathe, and forgot forever.

Encrypted & Stored Content (My_Super_Secret_Story.txt):

� a&�6�v��04'�?�"J!��z80��3a��(@_]�k�䙳$YT�XFH����{��_3��ݗ-`x�vA���Fi

This ensures that no one can read your files without the correct decryption key, adding an extra layer of security to your stored data.

Benefits of Using Drop Zone

Using Drop Zone provides several advantages:

Enhanced Security: With AES-256 CBC encryption and user-specific keys, your files are protected against unauthorized access.
User-Friendly: The drag-and-drop interface makes it easy to upload and manage files without needing technical expertise.
Scalability: Drop Zone can handle a large number of files and users, making it suitable for both personal and enterprise use.
Reliability: Files are encrypted and stored securely, ensuring data integrity and availability.
Compliance: Drop Zone helps meet regulatory requirements for data protection and privacy.

How It Works?

The following sections provide a detailed explanation of the key generation and encryption processes used in Drop Zone. The Key Generation section describes how a unique key is derived for each user based on the master key and their username. This ensures secure and individualized encryption for each user. The Encryption Process section will outline the steps taken to encrypt and decrypt files, ensuring that all data is securely handled and stored.

Security & Encryption

AES-256 CBC Encryption: Every file dropped in Drop Zone is encrypted using AES-256 in CBC mode with a unique IV per file, ensuring that even identical files have different encrypted representations.
User-Specific Keys:
- A master key is stored in homedock_dropzone.conf, but it is never used directly.
- Each user has a derived key based on the master key and their username using PBKDF2-HMAC-SHA256 with 100,000 iterations and a unique salt.
- This ensures that even if a user obtains an encrypted file from another user, they cannot decrypt it without the corresponding key. Additionally, even if a user copies and pastes another user’s key under his own homedock_dropzone.conf section, decryption will fail because the key derivation process incorporates a unique username-based salt, making each derived key different.
Secure File Handling:
- When uploading a file, it is encrypted before being stored in dropzone/{username}/.
- When downloading, the system decrypts it before securely transmitting it to the client.
- Files are never stored in plaintext on the filesystem.

Key Generation

Each user gets a unique random key on homedock_dropzone.conf key derived from the master key and their username upon its first valid login:

def derive_user_key(raw_key: bytes, username: str) -> bytes:
    kdf = PBKDF2HMAC(
        algorithm=hashes.SHA256(),
        length=32,
        salt=username.encode("utf-8"),
        iterations=100000,
        backend=default_backend(),
    )
    return kdf.derive(raw_key)

File Encryption on Upload

Before storing a file dropped in Drop Zone, it is fully encrypted on memory (max file size: 1GB):

def encrypt_user_file(username: str, data: bytes) -> tuple:
    key = load_master_key(username)
    iv = os.urandom(16)
    cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
    encryptor = cipher.encryptor()

    padder = sym_padding.PKCS7(algorithms.AES.block_size).padder()
    padded_data = padder.update(data) + padder.finalize()

    encrypted_data = encryptor.update(padded_data) + encryptor.finalize()
    return encrypted_data, iv

File Decryption on Download

When a user requests a file, it is decrypted on runtime before being sent from the backend to the frontend:

def decrypt_user_file(username: str, encrypted_data: bytes, iv: bytes) -> bytes:
    key = load_master_key(username)
    cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
    decryptor = cipher.decryptor()

    padded_data = decryptor.update(encrypted_data) + decryptor.finalize()

    unpadder = sym_padding.PKCS7(algorithms.AES.block_size).unpadder()
    data = unpadder.update(padded_data) + unpadder.finalize()
    return data

File Management

Users can list, upload, download, and delete files through the HomeDock OS interface. They can only access their own encrypted files and can only decrypt them if they have been encrypted with their username, ensuring that decryption is only possible after successfully logging in with the correct username and password.

@login_required
def list_files():
    user_name = current_user.id.lower()
    user_dir = os.path.join(dropzone_folder, user_name)
    ...

Enterprise-Level Security of Drop-Zone

Per-User Encryption: Each user is assigned a unique derived key, ensuring individualized security.
Randomized Initialization Vectors (IVs): Guarantees that encrypted files are distinct even if the content is identical.
No Plaintext Storage: Files are always encrypted before being stored, eliminating any plaintext storage.
Plaintext Transmission: While files are not stored in plaintext, they are sent in raw data from HomeDock OS interface. To ensure secure transmission, use HomeDock OS Cloud Instances or ensure you have a valid and active SSL/HTTPS certificate.
Protection Against Offline Attacks: Decryption requires both the master key and the user-specific key, providing robust defense against unauthorized access.