| keywords | |||||||
|---|---|---|---|---|---|---|---|
|
This repo is a monorepo containing a Rust-based cargo crate, an NPM package and sample code (frontend and canister) to make it easier for other developers to use the pre-release version of ICP VetKeys without low-level coding.
The Mini IP Manager is an application that leverages vetKeys from the Internet Computer Protocol (ICP) to securely encrypt and programmatically decrypt and share IP Docs (AKA notes). The system ensures that shared content is accessible only under specific conditions set by the creator. Here’s an overview of how it operates:
- Initialization and Login: The application checks for a stored login (current principal), which is a cryptographically self-signed access identity within the ICP. If no login is found, the user is prompted to log in using Internet Identity.
- Home Page Functionality: The app continually polls for all notes that the user has permission to read. It lists these notes and retrieves the decryption key (vetKey) necessary to access them. VetKeys are derived from the notes and the owner’s principal, adding a layer of security.
- Creating IP Documents: Users can create new notes by entering content directly on the page. Saving a note will make it available to share with other users. These documents remain editable until they are shared for the first time.
- Sharing Documents: Users can share notes with Everyone on the system, or they can share with individual app users registered in the Mini IP Manager service. They have the option to set a specific time when the note becomes accessible or allow access at any time by selecting Anytime. Shares can be removed until the recipient has accessed the document. Each interaction is recorded in the history log.
- Accessing Shared Notes: Authorized users can view the note content. Tags, the note’s creator and the history log are not encrypted.
Security. By using vetKeys derived from unique identifiers and owner principals, the system ensures that only intended recipients can decrypt and access the documents.
Flexibility. Users control when and with whom their documents are shared, with the ability to set access times and revoke shares if necessary.
Transparency. The history log provides a transparent record of all interactions related to each note, enhancing accountability.
User Experience. Continual polling for readable documents ensures users have up-to-date access to new shared content.
View this sample's code on GitHub
This is encrypted-files-dapp-vetkd the proposed vetKD feature to add sharing of files between users.
In particular, instead of creating a principal-specific AES key and syncing it across devices (using device-specific RSA keys), the notes are encrypted with an AES key that is derived (directly in the browser) from a note-ID-specific vetKey obtained from the backend canister (in encrypted form, using an ephemeral transport key), which itself obtains it from the vetKD system API. This way, there is no need for any device management in the dapp, plus sharing of notes becomes possible.
The vetKey used to encrypt and decrypt a note is note-ID-specific (and not, for example, principal-specific) to enable the sharing of notes between users. The derived AES keys are stored as non-extractable CryptoKeys in an IndexedDB in the browser for efficiency so that their respective vetKey only has to be fetched from the server once. To improve the security even further, the vetKeys' derivation information could be adapted to include a (numeric) epoch that advances each time the list of users with which the note is shared is changed.
Currently, the only way to use this dapp is via manual local deployment (see below).
Please also see the README of the original encrypted-notes-dapp for further details.
This example uses an insecure implementation of the proposed vetKD system API in a pre-compiled form via the vetkd_system_api.wasm. Do not use this in production or for sensitive data! This example is solely provided for demonstration purposes to collect feedback on the mentioned vetKD system API.
- Clone the example dapp project:
git clone https://github.com/dfinity/examples
Optional Step 0: Install mise-en-place
This is optional, but will correctly setup node and pnpm in all folders which have .mise.toml, .nvmrc or .tool-versions
curl https://mise.run | sh
mise installStep 1: Install dfx.
Please keep in mind the dfx CLI currently only runs on Linux and macOS.
pnpm installNote: see Troubleshooting in case of problems.
dfx stop
rm -rf .dfxdfx start --clean:::info
If you see an error Failed to set socket of tcp builder to 0.0.0.0:8000, make sure that the port 8000 is not occupied, e.g., by the previously run Docker command (you might want to stop the Docker daemon whatsoever for this step).
:::
Copy the .env.local.example file and call it .env.local. Make any changes you'd like, but it's assuming to be running on the local network. There is a .env.example for ic deployment with equivalent values.
Deploy/compile/generate the canisters
pnpm deploy:localYou can also run pnpm print-dfx-www to see how
to access the local canister. If you want to use
this you should update .env.local and then re-deploy
so that the signature domain and uri matches.
The default values assume local deployment using
pnpm dev i.e. address is at pnpm print-local-www
- Start the local development server, which also supports hot-reloading:
pnpm dev
- Open the URL that is printed in the console output. Usually, this is http://localhost:3000/.
:::info
If you have opened this page previously, please remove all local store data for this page from your web browser, and hard-reload the page. For example in Chrome, go to Inspect → Application → Local Storage → http://localhost:3000/ → Clear All, and then reload.
:::
If you run into issues, clearing all the application-specific IndexedDBs in the browser (which are used to store Internet Identity information and the derived non-extractable AES keys) might help fix the issue.