Encrypt content with its hash

I’m not a security expert, please help me understand if what I ask is useful or not.

I’m trying to build an app which uses public IPFS network (as opposed to uses private swarm) but keep the data private by encrypting it before adding it to IPFS.

I plan to have several machines running the same apps showing the same pictures. When required a new machine will be setup and it should be able to fetch the pictures from any other available machine.

I thought to use the hash of the original picture as a symmetric key to encrypt the picture and then put it on IPFS. The key will be encrypted with the public key of the node I’ll like to transfer the pictures to so it will be able to decrypt it. That way, any machine will be able to put the exact same encrypted picture on IPFS.

What do you think? Is that a good idea?

1 Like

This is called convergent encryption and there are some systems that use it, depending on their threat model. It does however leak the files that are stored to anyone who already has those files.

e.g. You add a movie file and anyone else who also has the original file (e.g. RIAA) can verify that you stored it.

Hi Ido-ran, we built a library to do this, it stores structured data (e,g, JSON, but could just be a picture) and uses authentication lists (kept on YJS or soon on OrbitDB), to manage who can view it.

In brief, the code is encrypted and the address of the Access Control List added to it. Its then stored in IPFS.
On retrieval the client can access the ACL, and retrieve a symetric decode key encrypted with their private key.

The full decription is at https://docs.google.com/document/d/1bdcNtfJQ04Twlbef1VZAjQYLmZgpdCFDapQBoef_CGs/edit

And the code is in our Repo on https://github.com/internetarchive/dweb-transport/


Thanks @ianopolous, I understand it can leak which files are stored by who, that is acceptable in my usecase.

Thanks @Mitra, I’ll try to use it

Great - happy to assist as any feedback will help us improve the library.

@ido-ran if you got a chance to look at it, then I’m interested in whether it was usable and any feedback (good or bad !) Happy to jump on a call if that is easier.

I didn’t got to that yet. Since I didn’t mange to use PubSub to connect js-ipfs and go-ipfs I’ve resort to use Firebase as a temporary solution. Once I’ll manage to transfer photos without encryption I’ll get to the encryption part.


btw, in my solution I have an Android app which run go-ipfs and a website using js-ipfs.
If I understand correctly the Dweb library is not available for go-ipfs - right?