If you want someone to be able to upload files from their browser directly onto your computer at home, install stash once, and allow dedicated access to your friends to share files with you. Maybe your dad wants to send you the video from the family event, or a colleague a huge database, stash might be the right thing. If you run stash on a server on the internet, your uploads are encrypted and only accessible with your secret PGP key. There's a short time when the file is unencrypted in memory (but not on disk!) on your server while uploading, but you can get around that uploading stuff that is already encrypted.
where's the screenshots? here: [[screenshots/]]
stash should be easy to use for uploaders, while providing the following attributes:
Create this hidden service in your /etc/tor/torrc file: #+BEGIN_SRC sh sudo cat >>/etc/tor/torrc <<EOT HiddenServiceDir /var/lib/tor/stash/ HiddenServicePort 443 127.0.0.1:23443 HiddenServicePort 80 127.0.0.1:23080 EOT #+END_SRC then restart tor and get the hostname: #+BEGIN_SRC sh sudo /etc/init.d/tor restart sudo cat /var/lib/tor/stash/hostname #+END_SRC remember this hostname and use it in all later steps. ** Get stash and dependencies #+BEGIN_SRC sh git clone https://github.com/stef/stash cd stash pip install -r requirements.txt #+END_SRC After also installing the necessary dependencies, we can ** Create the CAs *** create a Root CA ...for signing the https server certificate and the subCA. #+BEGIN_SRC sh ./tlsauth.py CA createca http:///crl.pem " CA" email1@ #+END_SRC *** create a subCA ...for the client auth keys #+BEGIN_SRC sh ./tlsauth.py subCA createca http:///client-crl.pem " client CA" email@ CA #+END_SRC *** create https server certificate #+BEGIN_SRC sh ./tlsauth.py CA newcsr root@ >CA/server.key #+END_SRC *** Sign server cert with Root CA #+BEGIN_SRC sh ./tlsauth.py CA sign <CA/server.key >CA/public/server.pem #+END_SRC *** Remove Root CA private key It is important to remove and store the root CA private key in a safe offline location, as it can be used to mount a MITM attack against all users, who trust this key. You need this key in 1 year, when you need to renew your client CA certificate (per default it's only valid for one year!) #+BEGIN_SRC sh mv root-ca/private/root.key #+END_SRC ** Setup nginx Adapt the path "/var/run/stash" and the hostname in stash.nginx.conf, then #+BEGIN_SRC sh cp stash.nginx.conf /etc/nginx/sites-available/stash ln -s /etc/nginx/sites-available/stash /etc/nginx/sites-enabled/ /etc/init.d/nginx restart #+END_SRC ** Create your own client certificate This step is like setting up the admin account on other systems: #+BEGIN_SRC sh ./tlsauth.py subCA newcsr joe joe@localhost >joe.key ./tlsauth.py subCA sign <joe.key >joe.cert ./tlsauth.py root-ca p12 joe.key <joe.cert >joe.p12 #+END_SRC Store the files ending in .key and .cert in some safe offline storage. ** Configure stash edit cfg.py and set:
Which should offer you to automatically import the CA root certificate into your browsers, and it also asks you what you want to trust it, allow your browser to trust this CA with servers and user, but not software.
Also download and import the .p12 certificate generated in "Create your own client Certificate" into your browser. ** Done visit:
Your friends can now request access to your stash by going to: https:///settings/register
However this generates the certificate in your browser, and if you - as I - do not trust your browser, you might want to generate your keys and certs offline in a more controlled environment and upload your CSR here: https:///settings/request
Also my firefox did not store the generated key in the keystore, so i had to use a proper CSR anyway.