v1.8.0 adds SSH typescript recording (#159). For encryption at rest, you can already point typescript_path at the LUKS-encrypted drive volume rustguac manages (see docs). rustguac opens/mounts that volume at startup (key from Vault) and unmounts it at shutdown, so typescripts are encrypted on the block device at rest (powered off, disk theft, block-device backups) with no extra infrastructure.
This issue is to gauge demand for per-file encryption on top of that - each connection's typescripts encrypted with a per-entry key (stored in Vault alongside the connection), giving:
- protection against a live host / nosy-admin scenario (LUKS leaves files plain text while the volume is mounted), and
- per-connection key isolation (one leaked key exposes one connection's logs, not the whole volume).
Known tradeoffs (please weigh in)
- Grep: encryption breaks in-place grep. The workflow becomes decrypt-then-grep (supply the key, stream to stdout, pipe to grep).
- Plaintext window: guacd writes the typescript as plain text during the live session; rustguac could only encrypt at session end. So there is an unavoidable plaintext window for the session's duration unless we patch guacd or stream through a pipe (fragile). The LUKS approach does cover this window; per-file encryption alone would not.
Options to vote on
👍 this issue if you want per-file encryption, and comment with your preferred option and your threat model:
- A. AES-256-GCM, decrypt via a new
rustguac decrypt-typescript subcommand. Authenticated (tamper-evident), self-contained, stays in the RustCrypto crates we already use.
- B.
age format (age-encryption.org): a simple, modern file-encryption tool and format. Decrypt with the standard age CLI (age -d ... | grep), no rustguac needed to read logs. Authenticated. Adds the age crate as a dependency.
- C. openssl-enc compatible, decrypt with the ubiquitous
openssl enc -d -aes-256-cbc -pbkdf2. No new dependency, but not authenticated (no tamper detection), which is a weak property for audit logs.
- D. The LUKS volume is sufficient - don't build per-file encryption.
We'll build it if there's demand beyond the LUKS approach. Leaving this open for feedback.
v1.8.0 adds SSH typescript recording (#159). For encryption at rest, you can already point
typescript_pathat the LUKS-encrypted drive volume rustguac manages (see docs). rustguac opens/mounts that volume at startup (key from Vault) and unmounts it at shutdown, so typescripts are encrypted on the block device at rest (powered off, disk theft, block-device backups) with no extra infrastructure.This issue is to gauge demand for per-file encryption on top of that - each connection's typescripts encrypted with a per-entry key (stored in Vault alongside the connection), giving:
Known tradeoffs (please weigh in)
Options to vote on
👍 this issue if you want per-file encryption, and comment with your preferred option and your threat model:
rustguac decrypt-typescriptsubcommand. Authenticated (tamper-evident), self-contained, stays in the RustCrypto crates we already use.ageformat (age-encryption.org): a simple, modern file-encryption tool and format. Decrypt with the standardageCLI (age -d ... | grep), no rustguac needed to read logs. Authenticated. Adds theagecrate as a dependency.openssl enc -d -aes-256-cbc -pbkdf2. No new dependency, but not authenticated (no tamper detection), which is a weak property for audit logs.We'll build it if there's demand beyond the LUKS approach. Leaving this open for feedback.