Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

dabih -- encrypted data storage and sharing platform

Michael Huttner, Jakob Simeth, Renato Liguori, Fulvia Ferrazzi, Rainer Spang

TL;DR

The paper presents dabih, a browser-based platform for secure storage and sharing of sensitive biomedical data, addressing usability barriers to strong cryptography by performing encryption within the Web Crypto API and avoiding client-side software installs. It implements a hybrid envelope encryption scheme (AES-256-CBC data encryption with RSA-4096 OAEP key encapsulation), with private keys kept on the user’s device and OAuth2/OpenID for authentication, enabling fine-grained access control and secure data exchange. Key contributions include open-source server and client components (web app, CLI in Rust, and a bulk uploader), containerized deployments, root keys for emergency recovery, and offline recovery data, plus token-based data ingestion. The solution lowers barriers to adopting strong cryptography in clinical research by providing secure, auditable, and user-friendly data management that can interoperate via APIs while avoiding bespoke client software deployment.

Abstract

Background: The secure management of sensitive clinical data, particularly human genomics data, has become a critical requirement in modern biomedical research. Although the necessary software and algorithms are readily available, their use by non-IT experts poses significant challenges. Methods: We developed dabih, an open-source web application specifically designed to facilitate user-friendly encrypted data management. dabih enables web-based uploading, storing, sharing, and downloading of sensitive data in any format. Its approach to data security involves a two-stage envelope encryption process. We combine symmetric-key encryption for data and public-key encryption as key encapsulation mechanism. The private key necessary for decrypting the data remains exclusively on the owner's device. Thus, accessing data is impossible without explicit permission from the keyholder. Results: dabih is available open-source on GitHub https://github.com/spang-lab/dabih, as ready to use containers on docker hub and includes a command line interface and a graphical bulk upload tool as pre-built binaries. Documentation is available as part of the web application. Conclusions: dabih enables everyone to use strong cryptography for their data, while being just as simple to use as other, non-encrypted, data storage solutions. All the cryptography occurs seamlessly in the background as users interact with a secure web portal, simply by dragging and dropping files.

dabih -- encrypted data storage and sharing platform

TL;DR

The paper presents dabih, a browser-based platform for secure storage and sharing of sensitive biomedical data, addressing usability barriers to strong cryptography by performing encryption within the Web Crypto API and avoiding client-side software installs. It implements a hybrid envelope encryption scheme (AES-256-CBC data encryption with RSA-4096 OAEP key encapsulation), with private keys kept on the user’s device and OAuth2/OpenID for authentication, enabling fine-grained access control and secure data exchange. Key contributions include open-source server and client components (web app, CLI in Rust, and a bulk uploader), containerized deployments, root keys for emergency recovery, and offline recovery data, plus token-based data ingestion. The solution lowers barriers to adopting strong cryptography in clinical research by providing secure, auditable, and user-friendly data management that can interoperate via APIs while avoiding bespoke client software deployment.

Abstract

Background: The secure management of sensitive clinical data, particularly human genomics data, has become a critical requirement in modern biomedical research. Although the necessary software and algorithms are readily available, their use by non-IT experts poses significant challenges. Methods: We developed dabih, an open-source web application specifically designed to facilitate user-friendly encrypted data management. dabih enables web-based uploading, storing, sharing, and downloading of sensitive data in any format. Its approach to data security involves a two-stage envelope encryption process. We combine symmetric-key encryption for data and public-key encryption as key encapsulation mechanism. The private key necessary for decrypting the data remains exclusively on the owner's device. Thus, accessing data is impossible without explicit permission from the keyholder. Results: dabih is available open-source on GitHub https://github.com/spang-lab/dabih, as ready to use containers on docker hub and includes a command line interface and a graphical bulk upload tool as pre-built binaries. Documentation is available as part of the web application. Conclusions: dabih enables everyone to use strong cryptography for their data, while being just as simple to use as other, non-encrypted, data storage solutions. All the cryptography occurs seamlessly in the background as users interact with a secure web portal, simply by dragging and dropping files.
Paper Structure (21 sections, 4 figures)

This paper contains 21 sections, 4 figures.

Table of Contents

  1. Introduction
  2. Methods
  3. Authentication and Key management
  4. Uploading data to dabih
  5. Data sharing
  6. Data Download
  7. Data Ingestion
  8. Key loss
  9. Root Keys
  10. Offline Recovery
  11. Results
  12. Usability
  13. dabih command line interface
  14. dabih uploader
  15. Discussion
  16. ...and 6 more sections

Figures (4)

  • Figure 1: RSA-4096 key-pair generation and upload to dabih. Key generation always happens locally, and the private key never leaves the user's computer. The public key is uploaded to dabih. The private key can be generated as a printable QR Code and scanned in with a normal webcam, it will only be stored in the browsers local storage.
  • Figure 2: Dataset re-encryption in case of key loss. As long as some other user has access to the data it can be re-encrypted. The user with access download the encrypted AES key, decrypts it and sends it to the server. The server uses the key to decrypt the dataset, generates a new AES key and then re-encrypts the dataset with the new key. All existing access permissions stay intact, the public keys are known to dabih and are used to generate new encrypted AES keys.
  • Figure 3: Schematic overview of the dabih application. Data is uploaded to dabih and then encrypted in two stages, the encrypted data is written to disk. This data can then be securely shared with authorized recipients, by re-encrypting the symmetric key with the new users public key. Downloading is the reverse of the upload process, decrypting the data in two stages.
  • Figure 4: Left side: A dabih private key in a printable format. The key is encoded as a QR Code that can easily be read by a computer webcam. We use a special smaller format, see \ref{['rsa_key_size']}, to be able to fit the key into a single QR Code. The QR Code is encoded as text, to allow for easy copy and pasting of the data. The key is also printed out as text next to the QR Code as a redundancy measure, typing it in should never be required. Right side: The dabih web client, currently uploading a large file. We show a clear progress indicator, can detect duplicate uploads and can resume from incomplete uploads.