# Seafile Storage Encryption Backend

Since Seafile Professional Server 5.1.3, we support storage enryption backend functionality. When enabled, all seafile objects (commit, fs, block) will be encrypted with AES 256 CBC algorithm, before writing them to the storage backend. Currently supported backends are: file system, Ceph, Swift and S3.

Note that all objects will be encrypted with the same global key/iv pair. The key/iv pair has to be generated by the system admin and stored safely. If the key/iv pair is lost, all data cannot be recovered.

## Configure Storage Backend Encryption

### Generate Key and IV

Go to <INSTALL_PATH>/seafile-server-latest, execute `./seaf-gen-key.sh -h`. it will print the following usage information:

```
usage :
seaf-gen-key.sh
 -p <file path to write key iv, default ./seaf-key.txt>
```

By default, the key/iv pair will be saved to a file named seaf-key.txt in the current directory. You can use '-p' option to change the path.

### Configure a freshly installed Seafile Server

Add the following configuration to seafile.conf:

```
[store_crypt]
key_path = <the key file path generated in previous section>
```

Now the encryption feature should be working.

### Migrating Existing Seafile Server

If you have existing data in the Seafile server, you have to migrate/encrypt the existing data. **You must stop Seafile server before migrating the data.**

#### Create Directories for Encrypted Data

Create new configuration and data directories for the encrypted data.

```
cd seafile-server-latest
cp -r conf conf-enc
mkdir seafile-data-enc
cp -r seafile-data/library-template seafile-data-enc
# If you use SQLite database
cp seafile-data/seafile.db seafile-data-enc/
```

#### Edit Config Files

If you configured S3/Swift/Ceph backend, edit <INSTALL_PATH>/conf-enc/seafile.conf. You must use a different bucket/container/pool to store the encrypted data.

Then add the following configuration to <INSTALL_PATH>/conf-enc/seafile.conf

```
[store_crypt]
key_path = <the key file path generated in previous section>
```

#### Migrate the Data

Go to <INSTALL_PATH>/seafile-server-latest, use the seaf-encrypt.sh script to migrate the data.

Run `./seaf-encrypt.sh -f ../conf-enc -e ../seafile-data-enc`,

```
Starting seaf-encrypt, please wait ...
[04/26/16 06:59:40] seaf-encrypt.c(444): Start to encrypt 57 block among 12 repo.
[04/26/16 06:59:40] seaf-encrypt.c(444): Start to encrypt 102 fs among 12 repo.
[04/26/16 06:59:41] seaf-encrypt.c(454): Success encrypt all fs.
[04/26/16 06:59:40] seaf-encrypt.c(444): Start to encrypt 66 commit among 12 repo.
[04/26/16 06:59:41] seaf-encrypt.c(454): Success encrypt all commit.
[04/26/16 06:59:41] seaf-encrypt.c(454): Success encrypt all block.
seaf-encrypt run done
Done.
```

If there are error messages after executing seaf-encrypt.sh, you can fix the problem and run the script again. Objects that have already been migrated will not be copied again.

#### Clean Up

Go to <INSTALL_PATH>, execute following commands:

```
mv conf conf-bak
mv seafile-data seafile-data-bak
mv conf-enc conf
mv seafile-data-enc seafile-data
```

Restart Seafile Server. If everything works okay, you can remove the backup directories.