Seafile Storage Encryption Backend

Since Seafile Professional Server 5.1.3, we support storage enryption backend functionality. When enabled, all seafile objects (commit, fs, block) will be encrypted with AES 256 CBC algorithm, before writing them to the storage backend. Currently supported backends are: file system, Ceph, Swift and S3.

Note that all objects will be encrypted with the same global key/iv pair. The key/iv pair has to be generated by the system admin and stored safely. If the key/iv pair is lost, all data cannot be recovered.

Configure Storage Backend Encryption

Generate Key and IV

Go to /seafile-server-latest, execute ./seaf-gen-key.sh -h. it will print the following usage information:

  1. usage :
  2. seaf-gen-key.sh
  3.  -p <file path to write key iv, default ./seaf-key.txt>

By default, the key/iv pair will be saved to a file named seaf-key.txt in the current directory. You can use ‘-p’ option to change the path.

Configure a freshly installed Seafile Server

Add the following configuration to seafile.conf:

  1. [store_crypt]
  2. key_path = <the key file path generated in previous section>

Now the encryption feature should be working.

Migrating Existing Seafile Server

If you have existing data in the Seafile server, you have to migrate/encrypt the existing data. You must stop Seafile server before migrating the data.

Create Directories for Encrypted Data

Create new configuration and data directories for the encrypted data.

  1. cd seafile-server-latest
  2. cp -r conf conf-enc
  3. mkdir seafile-data-enc
  4. cp -r seafile-data/library-template seafile-data-enc
  5. # If you use SQLite database
  6. cp seafile-data/seafile.db seafile-data-enc/

Edit Config Files

If you configured S3/Swift/Ceph backend, edit /conf-enc/seafile.conf. You must use a different bucket/container/pool to store the encrypted data.

Then add the following configuration to /conf-enc/seafile.conf

  1. [store_crypt]
  2. key_path = <the key file path generated in previous section>

Migrate the Data

Go to /seafile-server-latest, use the seaf-encrypt.sh script to migrate the data.

Run ./seaf-encrypt.sh -f ../conf-enc -e ../seafile-data-enc,

  1. Starting seaf-encrypt, please wait ...
  2. [04/26/16 06:59:40] seaf-encrypt.c(444): Start to encrypt 57 block among 12 repo.
  3. [04/26/16 06:59:40] seaf-encrypt.c(444): Start to encrypt 102 fs among 12 repo.
  4. [04/26/16 06:59:41] seaf-encrypt.c(454): Success encrypt all fs.
  5. [04/26/16 06:59:40] seaf-encrypt.c(444): Start to encrypt 66 commit among 12 repo.
  6. [04/26/16 06:59:41] seaf-encrypt.c(454): Success encrypt all commit.
  7. [04/26/16 06:59:41] seaf-encrypt.c(454): Success encrypt all block.
  8. seaf-encrypt run done
  9. Done.

If there are error messages after executing seaf-encrypt.sh, you can fix the problem and run the script again. Objects that have already been migrated will not be copied again.

Clean Up

Go to , execute following commands:

  1. mv conf conf-bak
  2. mv seafile-data seafile-data-bak
  3. mv conf-enc conf
  4. mv seafile-data-enc seafile-data

Restart Seafile Server. If everything works okay, you can remove the backup directories.