FADE is a Linux-based C++ language API which provides a secure overlay cloud storage with file assured deletion. The scheme is implemented as described in the following paper:
Yang Tang, Patrick P. C. Lee, John C. S. Lui, and Radia Perlman, "FADE: Secure Overlay Cloud Storage with File Assured Deletion.", SecureComm 2010, Singapore, September 2010.
FADE is running under Linux with a C++ compiler, e.g., g++, installed. To install FADE in your Linux system, you may take the following procedures.
You need to patch LibAWS++ in order to use FADE. You can find the patch at "src/libaws_patch/libaws_patch_for_fade.patch" in the FADE source code package. Alternatively, you can download it here.
To patch LibAWS++, change directory to "libaws" and run the following command:
$ patch -p2 -i libaws_patch_for_fade.patch
After that, you can follow LibAWS++'s instructions to compile and install it.
If everything is successful, you will have client, keymanager, libfade.a and libfade.so in the bin directory.
In this quickstart guide, we assume that you are in the FADE directory (i.e., "fade-0.2/"). The following instructions are relative to this directory.
A sample configuration file is as follows. It is also included in the source code package, as etc/config.xml.
<?xml version="1.0"?> <config type="client"> <keymanagers threshold="2" number="3"> <keymanager address="127.0.0.1:12345"/> <keymanager address="127.0.0.1:12346"/> <keymanager address="127.0.0.1:12347"/> </keymanagers> <storages> <local path="storage"/> <s3 bucket="fade.sg"/> </storages> <cache path="data"/> <secret file=".fade_secret"/> <cpabe pub_key="data/pub_key" priv_key="data/priv_key"/> </config>
The configuration file is in XML format. Between <keymanagers threshold="k" number="n"> and </keymanagers> are the configuration for the key managers, where n is the total number of key managers, and k is the minimum number of working key managers. FADE works as long as at least k out of n key managers correctly function.
Each key manager configuration entry is in the following format:
<keymanager address="ip.addr.goes.here:port"/>
Between <storages> and </storages> are the configuration for the storages. Currently FADE supports two kinds of storages: local repository and Amazon S3 storage.
A local repository is basically a folder in your file system. The configuration format is:
<local path="~/some/directory"/>
For Amazon S3 storage, the format is:
<s3 bucket="bucket_name"/>
In addition, you need to configure where your local data are stored. This is the working directory of FADE. All upload/download operations work on files in this directory. The format is:
<cache path="~/some/directory"/>
Finally, you need to configure the file that contains the long-term private secret. The format is:
<secret file=".fade_secret"/>
If you use CP-ABE, you also need to specify the public/private keys for the cpabe toolkit. In our current implementation, the client has a single private key, which contains attributes corresponding to every policy it satisfies. You may refer to "Using the cpabe Toolkit" for information on how to generate the keys. After you have generated these keys, you need to configure FADE with:
<cpabe pub_key="path/to/your/pub_key" priv_key="path/to/your/priv_key"/>
If you want to use Amazon S3 storage, you need to configure the Amazon S3 secrets. Basically you need to set two environment variables: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. You can do this by the following commands:
$ export AWS_ACCESS_KEY_ID="..." $ export AWS_SECRET_ACCESS_KEY="..."
Use the following command to start the key manager at port 12345:
$ bin/keymanager --port=12345
If you want to enforce access control with CP-ABE, then you should add "--use-cpabe" option (or "-c" for short):
$ bin/keymanager --port=12345 --use-cpabe
In the current implementation of FADE, the key manager saves the keys as PEM files in the "keys" directory under the current path. Please make sure that you have both read and write permissions of that directory. To revoke a policy, you can simply delete the related PEM file.
FADE comes with an empty "keys" directory. If you don't have it, you can simply create one by:
$ mkdir keys
Run client and specify the configuration file as the command-line argument:
$ bin/client etc/config.xml
Then, you will get a prompt like this:
FADE>>
If this is the first time you run a FADE client, you need to generate a long-term private secret. This can be done by the GENSECRET command: (You may wish to run this command only once.)
FADE>> GENSECRET
After that, you can pick up one of the following commands (case-insensitive):
For example, the following command encrypts and uploads foo.txt with policy DATE-2010-12-31:
FADE>> UPLOAD foo.txt POLICY DATE-2010-12-31
In FADE, the policy name ("DATE-2010-12-31") is just a plain-text string.
If multiple policies are used, please use "," as the deliminator of conjunctive policies, and use ";" as the deliminator of disjunctive policies. For example, the following command encrypts and uploads bar.txt with policy "(P1 and P2) or P3":
FADE>> UPLOAD bar.txt POLICY P1,P2;P3
Below are more examples.
The following command downloads and decrypts foo.txt:
FADE>> DOWNLOAD foo.txt
The following command renews the policy of foo.txt into DATE-2011-12-31:
FADE>> RENEW foo.txt POLICY DATE-2011-12-31
The following command quits FADE:
FADE>> QUIT
FADE provides some APIs that you can use in your own program.
The file src/client/Main.cc is a good sample of how to use FADE APIs. (Please omit the lines between FADE_EVAL.)
The FADE Client class is a singleton. You can access its sole instance by Client::instance().
You need to set the parameters by the following methods:
Alternatively, you can provide a configuration file in XML format, and use the following method to set all the parameters:
Client::instance()->readConfig(configuration_filename);
You should read the secret by
Client::instance()->readSecret();
before doing other stuffs.
Finally, you can freely use the following methods:
See Client class docs for details.
The GUI is based on PyQt4. In Debian/Ubuntu, you may get it by:
# apt-get install pyqt4-dev-tools
A sample configuration file is as follows. It is also included in the source code package, as etc/config.ini.
[s3] bucket=fade [fade] cache=data bin=bin/client config=etc/config.xml
The configuration file is in INI format. It is solely used by the GUI. It contains two sections: [s3] and [fade].
In the [s3] section, you need to specify the bucket. This value should be the same as the <s3 bucket="..."> in your FADE configuration file.
In the [fade] section, you need to specify:
Run the GUI and specify the configuration file as the command-line argument:
$ gui/fade_gui.pyw etc/config.ini
Yang Tang, Patrick P. C. Lee, John C. S. Lui, and Radia Perlman, "FADE: Secure Overlay Cloud Storage with File Assured Deletion.", SecureComm 2010, Singapore, September 2010.
Arthur Rahumed, Henry C. H. Chen, Yang Tang, Patrick P. C. Lee, and John C. S. Lui, "A Secure Cloud Backup System with Assured Deletion and Version Control.", CloudSec 2011, Taipei, September 2011.
The work of Patrick P. C. Lee was supported by project MMT-p1-10 of the Shun Hing Institute of Advanced Engineering, The Chinese University of Hong Kong.