added (optional) encryption to message metadata and local blob storage

config/elasticinbox.yaml

@@ -96,10 +96,13 @@ blobstore_write_profile: fs-local
 # Compress objects written to the blob store (including database blobs)
 blobstore_enable_compression: true
 
-# Encrypt objects written to the blob store. Blobs stored in database are
-# never encrypted.
-blobstore_enable_encryption: false
-#blobstore_default_encryption_key: mykey1
+# Encrypt raw emails written to local machine and/or remote blob storage
+local_blobstore_enable_encryption: false
+remote_blobstore_enable_encryption: false
+# Encrypt parsed message data like body, sender, addresses written to local db
+metastore_enable_encryption: false
+
+#default_encryption_key: mykey1
 
 ### Encryption settings
 #encryption:

itests/src/test/resources/elasticinbox.yaml

@@ -82,10 +82,15 @@ blobstore_write_profile: itest
 # Compress objects written to the blob store (including database blobs)
 blobstore_enable_compression: true
 
-# Encrypt objects written to the blob store. Blobs stored in database are
-# never encrypted.
-blobstore_enable_encryption: true
-blobstore_default_encryption_key: testkey2
+
+# Encrypt raw emails written to local machine and/or remote blob storage
+local_blobstore_enable_encryption: true
+remote_blobstore_enable_encryption: true
+# Encrypt parsed message data like body, sender, addresses written to local db
+metastore_enable_encryption: true
+
+default_encryption_key: testkey2
+
 
 ### Encryption settings
 encryption:

modules/config/src/main/java/com/elasticinbox/config/Config.java

@@ -71,9 +71,14 @@ public class Config
 	public Boolean blobstore_enable_compression;
 
 	// Blob store encryption
-	public Boolean blobstore_enable_encryption = false;
-	public String blobstore_default_encryption_key = null;
+	public Boolean remote_blobstore_enable_encryption = false;
+	public Boolean local_blobstore_enable_encryption = false;
+	public String default_encryption_key = null;
 
 	// Encryption options
 	public EncryptionSettings encryption = new EncryptionSettings();
+
+	// Meta store encryption
+	// Currently uses the same key as the blob store
+	public Boolean metastore_enable_encryption = false;
 }

modules/config/src/main/java/com/elasticinbox/config/Configurator.java

@@ -138,10 +138,11 @@ static URI getStorageConfigURL() throws ConfigurationException
 				keyManager = new SymmetricKeyStorage(keystoreFile, conf.encryption.keystore_password);
 
 				// verify that default blobstore encryption key exists
-				if (!keyManager.containsKey(conf.blobstore_default_encryption_key)) {
+				if (!keyManager.containsKey(conf.default_encryption_key)) {
 					throw new ConfigurationException("Default encryption key for BlobStore '"
-							+ conf.blobstore_default_encryption_key + "' not found");
+							+ conf.default_encryption_key + "' not found");
 				}
+
 			} else {
 				// initialize empty key store
 				keyManager = new SymmetricKeyStorage();
@@ -268,20 +269,33 @@ public static Boolean isBlobStoreCompressionEnabled() {
 		return conf.blobstore_enable_compression;
 	}
 
-	public static Boolean isBlobStoreEncryptionEnabled() {
-		return conf.blobstore_enable_encryption;
+	public static Boolean isRemoteBlobStoreEncryptionEnabled() {
+		return conf.remote_blobstore_enable_encryption;
 	}
-
-	public static String getBlobStoreDefaultEncryptionKeyAlias() {
-		return conf.blobstore_default_encryption_key;
+
+	public static Boolean isLocalBlobStoreEncryptionEnabled() {
+		return conf.local_blobstore_enable_encryption;
+	}
+
+	public static String getDefaultEncryptionKeyAlias() {
+		return conf.default_encryption_key;
 	}
 
 	public static java.security.Key getEncryptionKey(String alias) {
 		return keyManager.getKey(alias);
 	}
 
-	public static java.security.Key getBlobStoreDefaultEncryptionKey() {
-		return keyManager.getKey(conf.blobstore_default_encryption_key);
+	public static java.security.Key getDefaultEncryptionKey() {
+		return keyManager.getKey(conf.default_encryption_key);
+	}
+
+	public static boolean isMetaStoreEncryptionEnabled() {
+		return conf.metastore_enable_encryption;
+	}
+
+
+	public static java.security.Key getMetaStoreDefaultEncryptionKey() {
+		return keyManager.getKey(conf.default_encryption_key);
 	}
 
 }

modules/core/pom.xml

@@ -392,7 +392,6 @@
 			<groupId>commons-codec</groupId>
 			<artifactId>commons-codec</artifactId>
 			<version>1.8</version>
-			<scope>test</scope>
 		</dependency>
 
 

modules/core/src/main/java/com/elasticinbox/core/blob/store/BlobStorage.java

@@ -32,14 +32,19 @@
 import java.io.InputStream;
 import java.net.URI;
 import java.security.GeneralSecurityException;
+import java.security.MessageDigest;
 import java.util.UUID;
 
 import com.elasticinbox.core.blob.BlobDataSource;
 import com.elasticinbox.core.blob.BlobURI;
+import com.elasticinbox.core.encryption.EncryptionHandler;
 import com.elasticinbox.core.model.Mailbox;
 
-public interface BlobStorage
-{
+public abstract class BlobStorage {
+
+
+	protected EncryptionHandler encryptionHandler;
+
 	/**
 	 * Store blob contents, optionally compress and encrypt.
 	 * 
@@ -57,24 +62,26 @@ public interface BlobStorage
 	 * @throws IOException
 	 * @throws GeneralSecurityException
 	 */
-	public BlobURI write(final UUID messageId, final Mailbox mailbox, final String profileName, final InputStream in, final Long size)
+	public abstract BlobURI write(final UUID messageId, final Mailbox mailbox,
+			final String profileName, final InputStream in, final Long size)
 			throws IOException, GeneralSecurityException;
 
 	/**
 	 * Read blob contents and decrypt
 	 * 
-	 * @param uri Blob URI
+	 * @param uri
+	 *            Blob URI
 	 * @return
-	 * @throws IOException 
+	 * @throws IOException
 	 */
-	public BlobDataSource read(final URI uri) throws IOException;
+	public abstract BlobDataSource read(final URI uri) throws IOException;
 
 	/**
 	 * Delete blob
 	 * 
 	 * @param uri
 	 * @throws IOException
 	 */
-	public void delete(final URI uri) throws IOException;
+	public abstract void delete(final URI uri) throws IOException;
 
 }

modules/core/src/main/java/com/elasticinbox/core/blob/store/BlobStorageMediator.java

@@ -46,7 +46,8 @@
 import com.elasticinbox.core.blob.BlobURI;
 import com.elasticinbox.core.blob.compression.CompressionHandler;
 import com.elasticinbox.core.blob.compression.DeflateCompressionHandler;
-import com.elasticinbox.core.blob.encryption.EncryptionHandler;
+import com.elasticinbox.core.encryption.AESEncryptionHandler;
+import com.elasticinbox.core.encryption.EncryptionHandler;
 import com.elasticinbox.core.model.Mailbox;
 import com.google.common.io.ByteStreams;
 import com.google.common.io.FileBackedOutputStream;
@@ -57,10 +58,14 @@
  * 
  * @author Rustam Aliyev
  */
-public final class BlobStorageMediator implements BlobStorage
-{
-	private static final Logger logger = 
-			LoggerFactory.getLogger(BlobStorageMediator.class);
+public final class BlobStorageMediator extends BlobStorage {
+	private static final Logger logger = LoggerFactory
+			.getLogger(BlobStorageMediator.class);
+
+	protected static byte[] getCipherIVFromBlobName(final String blobName)
+			throws IOException {
+		return null;
+	}
 
 	protected final CompressionHandler compressionHandler;
 
@@ -76,11 +81,22 @@ public final class BlobStorageMediator implements BlobStorage
 	 * @param eh
 	 *            Injected encryption handler
 	 */
+
 	public BlobStorageMediator(final CompressionHandler ch, final EncryptionHandler eh)
 	{
 		this.compressionHandler = ch;
-		cloudBlobStorage = new CloudBlobStorage(eh);
-		dbBlobStorage = new CassandraBlobStorage();
+
+		if (Configurator.isRemoteBlobStoreEncryptionEnabled()) {
+			cloudBlobStorage = new CloudBlobStorage(eh);
+		} else {
+			cloudBlobStorage = new CloudBlobStorage(null);
+		}
+
+		if (Configurator.isLocalBlobStoreEncryptionEnabled()) {
+			dbBlobStorage = new CassandraBlobStorage(eh);
+		} else {
+			dbBlobStorage = new CassandraBlobStorage(null);
+		}
 	}
 
 	public BlobURI write(final UUID messageId, final Mailbox mailbox, final String profileName,