decrypting AES files in an apache module?

Tom H asked:

I have a client with a security policy compliance requirement to encrypt certain files on disk. The obvious way to do this is with Device-mapper and an AES crypto module However the current system that is already in place is setup to generate individual files that are encrypted.

Basically they have an apache server using SSL and basic/digest style authentication, and they need to decrypt encrypted files from AES on disk, before re-encrypting them with an SSL. (obviously I can use mod_php, mod_perl, however the idea was to keep static files only on this box)

Do I have any options for decrypting files on-the-fly in apache?

I see that mod_ssl and mod_session_crypto do encryption/decryption or something similar but not exactly what I am after as they are encryption on-the-wire and I am looking for encryption on-disk.

I could imagine that a PerlSetOutputFilter would work with a suitable Perl script configured, and I also see mod_ext_filter so I could just fork a unix command and decrypt the file, but they both feel like a hack.

I am kind of surprised that there is no mod_crypto available…or am I missing something obvious here?

Presumably resource-wise the perl filter is the way to go?

My answer:

Don’t roll your own crypto. Just don’t. You can never be sure it’s secure, and the first you will hear of it being broken is when Anonymous posts your company secrets on Pastebin.

Use the tools that already exist (e.g. dm-crypt/LUKS for Linux systems, or BitLocker for Windows systems). They are well understood, and any reasonable security auditor will know what they are and that they work.

If the security auditor insists on this less-than-ideal setup, fire them for incompetence.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.