goldeneye

2022-03-24

Sharing secrets safely with goldeneye

The goldeneye package is designed to allow data to safely be shared between R users over potentially insecure channels. It can also be used to secure data for local storage to ensure that potentially sensitive data can not be accessed by others even if your hard drive is lost or stolen. The R package is designed to be as simple to use as possible in order to facilitate routine use and also in order to reduce the technical barrier for novice R users.

R package installation

To get started, you first need to download and install the goldeneye package. At some point in the future we intend to submit to CRAN, but for now you can install the package from our drat repository using the following code:

install.packages('goldeneye', repos=c('https://cran.rstudio.com/',
                                      'https://ku-awdc.github.io/drat/'))

Once the package is installed it then needs to be loaded:

library("goldeneye")
#> Loading required package: tidyverse
#> ── Attaching packages ─────────────────────────────────────── tidyverse 1.3.1 ──
#> ✓ ggplot2 3.3.5     ✓ purrr   0.3.4
#> ✓ tibble  3.1.6     ✓ dplyr   1.0.7
#> ✓ tidyr   1.1.4     ✓ stringr 1.4.0
#> ✓ readr   2.1.1     ✓ forcats 0.5.1
#> ── Conflicts ────────────────────────────────────────── tidyverse_conflicts() ──
#> x dplyr::filter() masks stats::filter()
#> x dplyr::lag()    masks stats::lag()
#> Attaching goldeneye version 0.5.1-1

Setup

In order to use the package you first need to set up a goldeneye profile. To do that, run the following function:

gy_setup()

You will be asked to enter your name, an email address, and a password that will be used to secure your personal goldeneye profile. The password is stored in the secure registry on your computer, so you do not need to enter it every time you restart R, but you will need to re-enter your password if you change computers - so use a password that you will remember, or better still use a password manager!

Once setup is complete, a goldeneye profile is created and saved as a .gyp file. This file contains the following information:

Remember to keep your .gyp file safe! If you lose it then you will have to set up a new file with new keys, and you will not be able to decrypt any of your existing encrypted datasets. If you move to a new computer, then just copy/transfer the .gyp file over to your new computer. The .gyp file contains your private keys so should be considered as moderately sensitive i.e. do not place this file online or on shared network drives. However, even if an attacker was able to get your .gyp file, they would still need to guess your password in order to be able to use it.

Sending encrypted files

At this point you are able to encrypt data and send it to an existing goldeneye user that has made their public key available to you. They can either do this by sending you their public key file by email, or by hosting it online and sending you the link so that you (and others) can download it whenever you need it. For example, you can encrypt a file to send to Matt Denwood as follows:

secret <- "Some super secret data (this could be a data frame, a list, or any other R object)"
gy_save(secret, users="https://www.costmodds.org/people/matt/goldeneye_public.gyu",
        file="secret.rdg")

This creates a file “secret.rdg” in your current working directory that only you and Matt Denwood can decrypt using your respective private keys, using the following code:

(gy_load("secret.rdg"))
#> [1] "secret"
secret
#> [1] "Some super secret data (this could be a data frame, a list, or any other R object)"

Alternatively, the user argument can be a vector of multiple public keys so that other people can also decrypt the same file. If you want to exclude yourself from the list of authorised users then set the local_user=FALSE argument to gy_save().

Receiving encrypted files

If you want to allow other people to send you encrypted data, then you must first make your public key available. This can be extracted using the following function:

gy_public_file()
#> The following file contains your public keys:
#>     'goldeneye_public.gyu'
#> NOTE: this file is safe to place online or to send over email to your collaborators

The file produced by this function does not contain your private keys so is safe to either send by email to your collaborators, or place online for general use by anyone. Other people can then encrypt data for your use by either specifying the path to a local copy of your public file or the URL of the online location.

User groups

While you can use the method above to share data, there are some practical considerations and potential security vulnerabilities associated:

  1. The person to whom you want to send data must either send their public key to you or put it online before you can use it.

  2. Encrypting data for multiple users requires downloading a public key for each user.

  3. It is possible for an online key hosted on an insecure website to be changed without your knowledge so that a potential attacker injects their public key that you mistakenly use

  4. The person receiving the data has no way of verifying that it really was you that encrypted the data i.e. it may be replaced in transit.

For these reasons, we recommend that you use a specific user group for sending files regularly to/from the same people. For most users, this will mean joining an existing group set up by someone else. As a demonstration, we have created a group for the 2022 SVEPM conference called “demo22” and invite anybody that is interested to join the group to evaluate how the software can be used. To join the group run the following code:

gy_join_group("https://www.costmodds.org/rsc/goldeneye/demo22.gyg#oHrjws1utM#md")
#> Your profile file has been updated to add you to group 'demo22'
#> Please email the file 'gy_demo22_test_public.gyu' to:  ***+demo22@gmail.com
#> NOTE: in sending this file, you consent to your name and email address (as given above)
#> being stored and made available in encrypted form via:
#> https://www.costmodds.org/rsc/goldeneye/demo22.gyg
#> Your group has been set to 'demo22'

This function will do 3 things:

At this point you can now see the users that are also in this group:

gy_users()
#> # A tibble: 1 × 4
#>   user  name         email    member_since
#>   <chr> <chr>        <chr>    <date>      
#> 1 md    Matt Denwood **@**.** 2022-03-23

Your name will not immediately show in the list because the group administrator must first add you to the group at their end. For the demo22 group this is done semi-automatically, so should happen within 24 hours or so.

Once you have joined a group you can then use other peoples’ username(s) as a shorthand for their public key:

secret <- "don't tell anyone"
gy_save(secret, users=c("md"), file="secret_for_md.rdg")

Note that you can do this as soon as you have joined the group, i.e. even before your name shows in the user group list. However, other people will not be able to verify that it really was you that encrypted the data until the group is updated, so in the meantime they will get a note that your identity could not be confirmed.

Long-term usage

This guide and setup link is freely available online, so in theory anybody can join the demo22 group: you should therefore be extremely careful to select the correct user name before sending sensitive data! For security reasons we will stop hosting this demo22 group at the end of 2022, but any datasets you create will continue to be decryptable indefinitely by the user(s) you have specified, and you may set up and/or join new groups at any point using the same profile that you created above.

If you are interested in setting up your own user group for long-term usage then please feel free to contact the package maintainer.

Future development

This R package is under active development, so please check back here periodically for updates and new features! If you are interested in contributing the code base then check out the GitHub repository:

https://github.com/ku-awdc/goldeneye