DAT Circle of Trust
This site describes a possible method of implementing a circle of trust on top of DAT and Hashbase.io in order to ensure that files shared are only accessible to the intended recipients.
Use case: Researchers collaborating and sharing private versions of datasets with each other that contain proprietary data or trade secrets.
- Each researcher obtains a Raspberry PI and several Micro SD cards.
- Each card is prepared with the latest version of a secure Linux distribution agreed on by the researchers.
- Only the PIs will be connected to the internet. Lab machines will remain disconnected.
- A public/private key pair is generated on a disconnected lab machine.
- The public key is exported to an Ascii Armor TXT file and copied to one of the Micro SD cards for the PI. The private key is exported and backed up to a USB thumbdrive and kept in a secure location.
- Each researcher uploads their public key to a subdirectory of a shared DAT site for their project, which can be safely published to Hashbase.io
- Sample directory structure:
- 4Alice - has Alice's public key
- 4Bob - has Bob's public key
- 4Carl - has Carl's public key
- 4Donna - has Donna's public key
- Each researcher may replace their public key at any time with a new public key simply by uploading it to the project site.
- The researcher who has data to share connects their PI to the Internet and synchronizes the Hashbase.io site to the local Micro SD card on the PI. This downloads the latest public key for each colleague.
- The public keys are copied to a disconnected lab machine that contains the data files to be shared.
- The researcher runs a script to encrypt each file being shared with the public key of each recipient.
- The encrypted files are then copied to the Micro SD card for the PI (either by mounting the SD card, or connecting the PI to an internal network). The source files remain safely on the disconnected lab machine.
- The PI is then connected to the Internet, and the encrypted files are synchronized to the project site on Hashbase.io
- The recipients connect their PIs to the internet and synchronize the project site to their PIs. This downloads the encrypted data files to the Micro SD card on the PI.
- The recipients disconnect their PIs from the internet and copy the encrypted files to a disconnected lab machine that has their private key.
- The recipients run a script to decrypt each file received using their private key and passphrase.
- The decrypted files may then be copied to the internal lab network.
- Old versions of encrypted files may be deleted from the Hashbase.io site, and they will remain in the DAT archive if needed in the future for audit purposes.