Skip to content

Feature Request: Per-file encryption of SSH typescript recordings #163

Description

@davekempe

v1.8.0 adds SSH typescript recording (#159). For encryption at rest, you can already point typescript_path at the LUKS-encrypted drive volume rustguac manages (see docs). rustguac opens/mounts that volume at startup (key from Vault) and unmounts it at shutdown, so typescripts are encrypted on the block device at rest (powered off, disk theft, block-device backups) with no extra infrastructure.

This issue is to gauge demand for per-file encryption on top of that - each connection's typescripts encrypted with a per-entry key (stored in Vault alongside the connection), giving:

  • protection against a live host / nosy-admin scenario (LUKS leaves files plain text while the volume is mounted), and
  • per-connection key isolation (one leaked key exposes one connection's logs, not the whole volume).

Known tradeoffs (please weigh in)

  • Grep: encryption breaks in-place grep. The workflow becomes decrypt-then-grep (supply the key, stream to stdout, pipe to grep).
  • Plaintext window: guacd writes the typescript as plain text during the live session; rustguac could only encrypt at session end. So there is an unavoidable plaintext window for the session's duration unless we patch guacd or stream through a pipe (fragile). The LUKS approach does cover this window; per-file encryption alone would not.

Options to vote on

👍 this issue if you want per-file encryption, and comment with your preferred option and your threat model:

  • A. AES-256-GCM, decrypt via a new rustguac decrypt-typescript subcommand. Authenticated (tamper-evident), self-contained, stays in the RustCrypto crates we already use.
  • B. age format (age-encryption.org): a simple, modern file-encryption tool and format. Decrypt with the standard age CLI (age -d ... | grep), no rustguac needed to read logs. Authenticated. Adds the age crate as a dependency.
  • C. openssl-enc compatible, decrypt with the ubiquitous openssl enc -d -aes-256-cbc -pbkdf2. No new dependency, but not authenticated (no tamper detection), which is a weak property for audit logs.
  • D. The LUKS volume is sufficient - don't build per-file encryption.

We'll build it if there's demand beyond the LUKS approach. Leaving this open for feedback.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions