Sensitive data encryption and upload for storage and sharing (less than 1 GB)
Using the SD Connect, you can simultaneously encrypt your files with multiple encryption keys. In this manner, the files can be used for several purposes: data analysis with SD Desktop, data storage or data sharing with SD Connect.
Below, we will illustrate how to generate your encryption key pair using an application called Crypt4GH and how your public encryption key (or your collaborator's public key) can then be used to encrypt files via a web browser using SD Connect.
-
Install the Crypt4GH application. CSC has developed a simple application that will allow you to generate your encryption keys and decrypt files when necessary. Download the version specific to your operating system from the GitHub repository:
You might encounter an error message when you open the application for the first time. In this case, click on More info and verify that the publisher is CSC-IT Center for Science (or Finnish CSC-Tieteen tietotekniikan keskus Oy) and then click on Run anyway.
-
Generate your encryption keys:
- Open the Crypt4GH application and click on Generate Keys (in the top right corner).
- The tool will open a new window and ask you to insert a password (Private Key Passphrase). This password will be associated with your secret key. Please, use a strong password.
- When you click on OK, the tool will generate a key pair consisting of a secret key (
username_crypt4gh.key
) and a public key (username_crypt4gh.pub
). - The keys/file names will be displayed in the Activity Log with the following message:
Key pair has been generated, your private key will be auto-loaded the next time you launch this tool: Private key: username_crypt4gh.key Public key: username_crypt4gh.pub All the fields must be filled before file encryption will be started
The keys will be generated and saved to the same folder in which the application resides.
Note
- If you lose or forget your secret key or password, you will be unable to decrypt the files.
- Do not share your secret key or your password.
- You need to create your keys only once and use them for all your encryption needs, but you can choose to generate separate keys for encryption as you wish.
-
Upload folders and files to SD Connect using the drag and drop function. You can also use the upload icon in the SD Connect browser window to select and upload files.
-
Next, you will be redirected to a new window displaying the default encryption options.
-
Select the button: Add other's receivers' public key. A new window called Receiver public keys will then appear on the left side. Here you can add multiple public encryption keys:
- Open your public key using Notepad or another text file reader. Copy the public key, paste it into the appropriate window, and click on Add receiver public key.
- Now, you will see the public key listed on the right side of the page.
- If, for example, you plan to share your data with a collaborator, you can add a second public key. Let's assume that your collaborator shared their public key with you via email. First, copy and paste the public key into the Receiver public keys window. Next, we click on Add receiver key. Now you can see two keys listed in the right window.
-
You can specify the bucket's name in which the data should be uploaded. If you don't fill in a specific term, the user interface will automatically create a bucket named with a 13-digit number based on creation time. Note that it is not possible to rename buckets.
-
Next, click on Encrypt and upload: each file will be automatically encrypted and uploaded to the specified bucket in SD Connect.
-
Once the process is completed, you can return to the SD Connect browser window. The encrypted files will be displayed in the correct bucket, in a default folder called DATA, and each encrypted file will have the extension
.c4gh
.
The files are now encrypted with three encryption keys:
-
With the default Sensitive Data services encryption key. Thus, you can access and analyze the data stored in SD Connect with the SD Desktop service (for further information, see SD Desktop user guide).
-
With your public key. This allows you to download the data stored from SD Connect to, for example, different services and decrypt them using the correspondent secrete key.
-
With your collaborator's public key. This allows sharing (or transferring) the data with your collaborator using SD Connect. Next, they will be able to download and decrypt the files in their secure computing environment using the correspondent secret key.
This workflow allows managing only one copy of the data for different purposes.
Note
With this workflow is possible to encrypt only small files (up to 1GB). If you have any questions or the instructions above need clarification (e.g. encryption of larger files), don't hesitate to contact us (subject: Sensitive Data). We also provide step-by-step support online (e.g. via Zoom).
Data sharing
SD Connect user interface provides a simple way of sharing buckets between different projects.
To share a bucket with another CSC project (and thus one of your colleagues or collaborators), you need to:
-
know in advance the project identifier you want to share a bucket with (see above the User Interface paragraph);
-
in the browser page, click on the share button next to the bucket's name;
Next:
-
In the Browser page, next to the bucket name, click the share icon
-
You will be redirected to the Share the bucket page. Here you can select:
-
only Grant read permission if you want your colleagues to be able to access the files and folder stored in the bucket, download them or access them via the SD Desktop service;
-
or Grant write permissions if you want your colleague to be able to add files and folders to the shared bucket. If you select only this option, your colleague will be only able to add files to the bucket but not be able to see its content.
-
-
Under Project Identifiers to share with, you can add the identifiers corresponding to your collaborator's CSC project. It is possible to add multiple identifiers.
-
Next, click on Share. If the operation is successful, you will be redirected to the Share from the project view, where are listed all the buckets shared with other CSC projects. From the same page, it is possible to interrupt the sharing by clicking on Revoke bucket access.
Data download and decryption
You can easily download entire buckets or single encrypted files from the SD Connect Browser page by clicking on download.
Next, you can decrypt the data using the Crypt4GH application and your secret encryption key. Unfortunately, it is currently only possible to single files. However, we are working on adding this option and integrating it with the SD Connect user interface.
-
Open the Crypt4GH application and click on load Your Private Key.
-
Click on Select File and upload the file you want to decrypt.
-
Click on Open.
-
Next, click on Decrypt File.
-
The tool will ask you to write the secret key's password. Press ok.
The secret key must match the public key used to encrypt the data. In the case of decryption, adding the public key is not mandatory, but if you have the public key of the person who has encrypted the file, you can use it to verify the encryption signature. If you don't select a public key, the activity log will display the following (the decryption will be executed anyway):
Sender public key has not been set, authenticity will not be verified.
If your decryption runs successfully, the activity log will display the following:
Decrypting.....
Decryption has finished
Decrypted file: C:/users/username/exampledirectory/examplefile
The decrypted file will no longer display the .c4gh
extension and will be saved in the same folder from which the original file was uploaded.