How to securely protect and encrypt files in ProcessWire?

[Krlos]

Hi, I have a client who wants to offer file downloads (PDF, Word, Excel, etc.) to some of their clients. However, he have emphasized that the files must be highly protected. Specifically, the files should:
    1.    Be accessible only to users with the appropriate role.(different roles for different files)
    2.    Not be directly accessible from the internet.
    3.    Remain unreadable or encrypted even if the web server is hacked.

Is there any way to achieve this with ProcessWire? I’ve only built standard websites before, and I’ve never worked on something like this. To be honest, I feel unsure about how to implement this. I would greatly appreciate any advice or recommendations. Thank you!

[dynweb]

The $config->pagefileSecure option should take care of point 1 and 2.

Not sure how you could do point 3 if there is unauthorized access to your system. You would have to encrypt the files but unencryption keys could not be stored on the server and would have to be communicated to authorized users by other means. And any authorized user who can unencrypt a file can also distribute an unencrypted version of it...

[BitPoet]

As @dynweb wrote, points one and two can be covered by the pagefileSecure option that is part of the core. Enable $config->pagefileSecure in site/config.php and uncomment the relevant entry in .htaccess so all file requests are routed through index.php.

Point three is difficult, and off the top of my head, I'm not sure if a solution exists. You'd need two different servers to physically separate the encrypted files and the corresponding decryption keys, otherwise, anybody in control of the server only needs a bit of time to locate the keys. In a perfect world, the decryption would happen on the client, so no server ever sees the unencrypted file - otherwise, it would just be a question of patience for the hacker to collect them if they hacked the file delivery server. It should be possible to build client side decryption around fetch API, transformers, webcrypto and perhaps FileSystemAccess (with polyfill for a few browsers), but together with taking care of proper key handling, PW integration of uploads and authentication and authorization across both systems, this would certainly be a complex effort.

I'm immediately thinking of SAML2 auth with group/role mapping to ensure proper authorization. Handling uploads should be possible by hooking into InputfieldFile. PW would need to create a key, hand that over to the key storage server together with a hash of the file url as key and store the encrypted file. InputfieldFile could be extended with a hook method to return a proper URL to retrieve the decryption key. Client side JS would retrieve the file and key URLS, download both and decrypt the file. transcend-io's Penumbra JS library for stream decryption looks promising at first glance.