Researchers need a way to share sensitive data with each other securely. There are many tools and services available, but they often fall short when it comes to the combination of security and usability. For example, most cloud storage services are unsuitable for sensitive data, such as interviews with children or datasets containing information about ethnicity and religion.
One way to address this issue is to encrypt the data before storing it. However, this can be complex and difficult for non-technical users, even with specialized software solutions available, because those often not user-friendly and require users to install additional software on their devices.
Research Vault
The Research Vault pilot offers an end user friendly interface with WebDAV, easy to use interface for sharing with collaborators with SRAM and encrypted storage with the keys safely in a vault.
End users can mount the encrypted folder with a client that supports the WebDAV protocol. MacOS (Finder) and Windows (Explorer) support this by default, meaning that a share can be added as a regular network drive. Users enter their SRAM username and a token generated by SRAM as a password into their client. The client will then use the SRAM API to authenticate the user, fetch the keys from Vault and encrypt or decrypt the data. This makes the solution very user-friendly, as users do not need to know anything about encryption or key management.
In addition to SRAM, a service is needed to encrypt and decrypt data using those keys stored in Vault before it's stored at a cloud storage provider like SURF Research Drive (RD). Rclone is used, and works by creating an encrypted mount point on top of a configured connection with an external cloud storage provider. Data put into this mount point is encrypted by Rclone but stored in the cloud storage provider. The cloud storage provider can't decrypt the data because the keys are stored in the vault.
By using a combination of secure key management, external encryption services, and authentication services, we can mitigate the security risks associated with storing encryption keys centrally.
End user experience
- Log in to SRAM
- Open your profile to find your SRAM username
- Create a 'service token' which will be the password for the indicated period
- Open the connected service for the WebDAV link(s)
- Mount Research Vault on your computer with WebDAV
Join the pilot!
To move forward, we would like to hear from you (our institutions) and about your experience with this solution. Can it be used by non-technical users? Does it really provide added value, better security? Would this indeed mean SURF Research Drive could be used for highly sensitive data? What features would you like to see added next?
Contact us at sram-support@surf.nl if you're interested in joing the pilot.
Installation
For the pilot, a Research Cloud catalog item is available. However, installation requires some technical skill.
Requirements
- SURF Research Cloud
- SURF Research Access Management
- Storage supported by Rclone. For the pilot SURF Research Drive is recommended.
URL for end users
The URL that end users will mount WebDAV from is of the form
https://researchvault.pilotname.src.surf-hosted.nl/webdav/researchdrive/ where
researchvaultis a free to choose hostname in Research Cloudpilotnameis generated by Research Cloud from the name of the collaboration in Research Access Managementsrc.surf-hosted.nl/webdavis fixedresearchdriveis a free to choose name in the Rclone configuration
It's recommended to pick values that help end users trust the URL.
1. Create a service in Research Access Management
In Research Access Management, register a service.
- There is no Login URL for users, leave this empty
- As web based protocol pick OpenID Connect
- As OpenID Connect redirect URLs enter
https://researchvault.pilotname.src.surf-hosted.nl/oidc/auth, withresearchvaultandpilotnameyour chosen values - Wait for the service to be approved by SURF; you will be notified by email
- You will recieve an OIDC client secret, that you will need later when creating the workspace
- In the newly created service
- create the groups
userandadminand - enable user token introspection. Later on you will create a token when creating the workspace.
- create the groups
2. Create a collaboration in Research Access Management
In Research Access Management, create (or request) a collaboration with your organisation.
- The first 15 alfanumerical characters of the name will determine the
pilotnamepart of the URL - Connect your created service to the collaboration
- Note the collaboration Identifier at the edit screen for use in the next step
3. Connect a Research Cloud wallet to the collaboration
- Create a ticket with SURF Research Cloud asking to make it available for you collaboration,
Create a workspace in Research Cloud
In Research Cloud, create a workspace.
- Select the collaboration with the assigned wallet
- Select the catalog item 'Research Vault'
- At expiration date, pick a day after the pilot end date
- At hostname, enter the chosen hostname
- At admin, enter the short name for the created admin group in Research Access Management
- At user, enter the short name for the created users group in Research Access Management
- At OIDC client ID, enter the entity ID of the service in Research Access Management
- At OIDC client secret, enter the secret you recieved on approval of the service
- For the user introspection token, create one at the user introspection token section at your service in Research Access Management enter it here
- Create the workspace and wait for it to be ready
Configuring the WebDAV mount
- Configure Research Drive for WebDAV
- Obscure the generated password for Rclone, for example
my_passwordbecomes:~ rclone obscure my_password Tz0Il6at9GRmKD6-N1Xy89kNV4O9A_I7I9wc
This requires Rclone to be installed on the local system.
- Create the Rclone config file, with
researchdrivepart of the URL for end users,userthe chosen username in Research Drive, andpassthe obscured password[researchdrive] url = https://researchdrive.surfsara.nl/remote.php/nonshib-webdav/ vendor = owncloud user = <research_drive_user> pass = <obscured_password>
- Access the newly created workspace (the URL will be like https://researchvault.pilotname.src.surf-hosted.nl/ ) and go to the API (
/admin/api/doc/) - At
config/importuse the 'try out' button and upload the created config file ('browse' button), then the 'execute' button
- At the main page, the WebDAV links should appear:
End users can now mount de Research Vault if they are a member of the collaboration and its user group.
Backup of the encryption key
Data in the Research Vault is encrypted. When the encryption key is lost, the data is lost. SURF cannot recover the data. It is therefore recommended to backup the encryption key in a secure place.
- Access the workspace (the URL will be like https://researchvault.pilotname.src.surf-hosted.nl/ ) and go to the API (
/admin/api/doc/) - At
GET config/recoveruse the 'try out' button and then the 'execute' button - From the response body, copy the encrypted recovery data, including the double quotes
- At
PUT config/recoveruse the 'try out' button, paste the copied encrypted recovery data and use the 'execute' button - Download the recovery config file
- Check if the contents are similar and store the file in a secure place
