Vault v1.0

What is Vault?

Vault is a minimalistic, self-hosting focused remote file storage solution. It's intended purpose is for client-side applications to interface with it, gather the file(s) the application needs, and then do all other processing client-side, before optionally sending the file back to vault.

This allows for vault to provide a fully user-controlled experience, with vault acting as simply a remote filesystem.

The source code for vault is located here.

Building

Vault expects the following:

Optionally, you can also modify this page to function as a more fitting index.html for your vault server. ^w^

If all of those are provided, you can simply: make && sudo make install-lighttpd. After building and installing, all you need to do is sudo tools/generate for each separate user you would expect, and send the generated keys to the appropriate places.

Security

While I believe vault to be at least moderately secure, it is still unaudited code, and better yet, unaudited code that interacts with the local filesystem for saving and retrieving files. While vault takes precautions by validating both keys and file names received from the client, I make no guarantees as to the safety or robustness of the validation method.

As for authorization security, vault should be secure as long as your client key is properly secured, and is not leaked. There is no secondary form of authorization, however, so it is critical your client key is secured propertly. Best practice for better authorization security would be to have separate keys for separate applications, as well as encrypting your key locally whenever it is not in use.

If you have identified a security issue, and wish to report it, please email me here.

Using

After a vault instance is configured and the appropriate client keys have been generated (see Building), usage of vault is extraordinarily simple:

Saving a File


Route: POST /cgi-bin/save

Expected Headers:
Authorization: [CLIENT_KEY]
X-File-Name: [NAME_OF_FILE]

Body: [FILE_CONTENTS]

Success Response: 200
Failure Response: 401, 404, 405, or 500

If success, the HTTP body will be empty.

NOTE: In order to delete a file, you can simple save to a file with a Content-Length: 0 header specified.

Retrieving a File


Route: GET /cgi-bin/retrieve

Expected Headers:
Authorization: [CLIENT_KEY]
X-File-Name: [NAME_OF_FILE]

Success Response: 200
Failure Response: 401, 404, 405, or 500

If success, the HTTP body will contain the file contents.

Receiving a File List


Route: GET /cgi-bin/list

Expected Headers:
Authorization: [CLIENT_KEY]

Success Response: 200
Failure Response: 401, 404, 405, or 500

If success, the HTTP body will contain a comma separated list of filenames.

Reference Implementation


A very simple, CLI reference client written in Python 3 can be found here.

License

BSD 2-Clause License

Copyright (c) 2021, A'yhense
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.