I think the simplest and safest way to story videos and images on the cloud away prying eyes is to encrypt the video and images before uploading them to cloud storage.
I am looking for a simple way to encrypt images and videos.
Must support long complex encryption passwords/passphases, I am thinking 2048bytes, and changing those on the fly, without interrupting encryption.
Off the top of my head, PGP Netshare and Boxcryptor both allow you to store
encrypted data in the cloud without much hassle
I want to encrypt before uploading.
perhaps VeraCrypt
https://veracrypt.codeplex.com/discussions/577243
https://www.reddit.com/r/netsec/comments/2tde4l/i_am_jason_pyeron_of_the_ciphershed_project_ama/
Why? If the encryption is native to the system, what difference does it
make? Just curious is all.
PGP Netshare using Public key encryption on the data, once it end ups in a
designated folder, it’s automatically encrypted and only accessible to the
users with Public/Private keys allowed.
Encrypting before upload just seems like a lot of extra work, especially if
you now want to play back that data.
What do you actually want, when you say “interrupting encryption”, or “changing the passwords/passphrases”.
Do you want to be able to stream directly to the cloud, and encrypt that on the fly, without first storing it? Or are you happy to have it locally on disk first, and encrypt that during upload.
In any case, I recommend that the innermost layer is symmetrical algorithm (eg AES), with a unique session key, and that key is then protected with asymmetrical algorithm (eg RSA). Notably, this means that you can encrypt content without ever risking the private side of the latter key.
GPG implements the above, but isn’t known for speed. If you want a mostly pre-written but easier to use script, I recommend you take the amcrypt wrapper from the Amanda package. The amcrypt wrapper will also happily take stdin if you wanted to stream video to it, and stream the output from the script to a cloud service.
If you want something that can wrap all of the pieces instead of doing the integration work yourself, and don’t care about streaming, consider Arq on Mac, or Duplicati (v2 specifically) on Windows/Linux.
I was just thinking about that in the context of google photos. It now
allows you to upload an unlimited quantity of photos, as long as the
resolution is not too big. In this scenario the problem could be that the
service compresses your encrypted photos, making it impossible to decrypt
them.
As for how to do it, it’s shouldn’t be too hard to write a script that
looks at a folder where you put all new photos, and copies+encrypts them to
a folder tracked by your cloud storage provider. Python has a nice crypto
library that could do that relatively easily.
Contents will be stored to “disk” fifo before the upload. I might play with stop image rate to accommodate a slow network speed. Having high quality images is more important than having every frame. Encrypting before storing is the most secure, but not necessary. Because if someone brakes into the hardware, all security is lost anyway.
I will take a look at amcrypt, that might be the solution I am looking for.
Thx I will look
That brings up a good point, will need to add error correction on top of the encrypted images so that don’t lose everything with a small data change. Does the tools mentioned above include some post encryption error correction encoding?
perhaps boxcrytor
unlimited space is tempting if it is doable.
Are you talking about single frames in image format (JPG or MJPG) or a low frame rate encoded video stream (MP4)?
Really good question. The answer is what is required for security, identification of person.
I don’t know.
That adds more questions. Do you need to be able to maintain a “Chain of Custody”, in other words, is this content going to be used in legal proceedings? If so, then you are better off buying a purpose built security camera that will have built-in encryption in order to prove the video hasn’t been tampered with. (Sanyo used to make good cameras for this purposes until they were bought by Panasonic). In the absence of other evidence, a low frame rate video without a provable chain of custody may get shredded by an attorney.
If chain of custody is not a concern, then you need to consider:
individual video frames stored as images are independent and can be easily encrypted by any encryption tool like gpg for example. Loss or corruption of one image will not affect the rest. This also allows you to alter your encryption key as often as you like. GPG with public key crypto would be a good choice as the private key can be kept safe offline and only the public key would need to be present in the encryption system. MJPEGs are several JPG images concatenated into a single file that can be played back in the form of a video.
If you are going with a video stream such as MP4, you have to remember that most modern encoding formats (h.264) store the video frame data first and once the end of the stream is reached, then the “data dictionary” (also known as the h.264 frame index) is recorded at the end of the file. Without this last bit of data, the video stream is almost completely useless unless you are willing to pay big money for a recovery service. What this means to you is that if you want to encrypt video streams, you have to split them into smaller chunks (such as 1 minute intervals) so that the index is written to the end of the file and then you can encrypt it.
Which means that if you want to be able to do that, you either have to break up your video stream into small chunks or use a JPG image method.
In any solution, you will most likely need to use ffmpeg to process your incoming video stream (from camera) and encode it, and an encryption tool such as gpg.
Also note that if you are changing your encryption keys too often, then you will run into key management issues.
Being able to identify a person in an image also comes with pixel density concerns. A good rule of thumb is 50 pixels per foot. In other words, you need a lens and video sensor and video encoding system that will maintain a resolution of 50 pixels for every 12 inches of horizontal span at the distance from the camera that the subject will be located. That will tell you what video resolution you need.
So the solution is:
Video Source → Video Digitizer (Capture device) → ffmpeg (for dropping frames for the desired frame rate) → ffmpeg ( for trimming of any areas of no interest ) → ffmpeg (placing an burned-in overlay such as date/time/location) → ffmpeg (for encoding to the desired format ) → file on disk → gpg (+ encryption key) → uploading tool (FTP, wget, etc.)
All ffmpeg steps can be done in one single command line.
BTW, if you want to use this to catch the thief that breaks into your home, you need to keep in mind that unless the suspect is already known by the police, the police will not embark in a search for the suspect unless the financial damage exceeds a certain threshold. Talk to your local police before you invest in such a system only to find out that they will not use the evidence gathered by it.
As my parents were told by the RCMP when they got broken into:
I know, it sucks to get broken into, but the reality is that unless you have political weight, the police won’t go any further than filling out a form. Most of the time, when they do recover stuff, they are too busy to figure out what belongs to whom, so it all goes to the police auctions.
encfs. EncFS is a program which provides an encrypted virtual filesystem for Linux using the FUSE kernel module. FUSE provides a loadable kernel module which exports a filesystem interface to user-mode. EncFS runs entirely in user-mode and acts as a transparent encrypted filesystem.
I’ve used EncFS with dropbox before. This allowed me to have an encrypted folder mounted on several machines that was synced between all of the machines. And in the event someone got into my dropbox all they would have is a bunch of encryped files/folders
toma@toma-m5a97:~$ sudo apt-get install encfs -y
toma@toma-m5a97:~$ mkdir ~/Dropbox/encrypted
toma@toma-m5a97:~$ mkdir ~/decrypted
toma@toma-m5a97:~$ encfs ~/Dropbox/encrypted ~/decrypted
Creating new encrypted volume.
Please choose from one of the following options:
enter “x” for expert configuration mode,
enter “p” for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?> p
Paranoia configuration selected.
Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: “ssl/aes”, version 3:0:2
Filename encoding: “nameio/block”, version 3:0:1
Key Size: 256 bits
Block Size: 1024 bytes, including 8 byte MAC header
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File data IV is chained to filename IV.
File holes passed through to ciphertext.
-------------------------- WARNING --------------------------
The external initialization-vector chaining option has been
enabled. This option disables the use of hard links on the
filesystem. Without hard links, some programs may not work.
The programs ‘mutt’ and ‘procmail’ are known to fail. For
more information, please see the encfs mailing list.
If you would like to choose another configuration setting,
please press CTRL-C now to abort and start over.
Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.
New Encfs Password:
Verify Encfs Password:
toma@toma-m5a97:~$ mkdir ~/decrypted/Documents
toma@toma-m5a97:~$ echo “Test file” >> ~/decrypted/Documents/testfile.txt
toma@toma-m5a97:~$ ls ~/Dropbox/encrypted/
tGKX,hwiOPfrOf3GW7HsRHj8
toma@toma-m5a97:~$ ls ~/Dropbox/encrypted/tGKX,hwiOPfrOf3GW7HsRHj8/
b5NqrOAECUvFMfsFq7dJvI4n
toma@toma-m5a97:~$ cat ~/Dropbox/encrypted/tGKX,hwiOPfrOf3GW7HsRHj8/b5NqrOAECUvFMfsFq7dJvI4n
*w� ��Yg
toma@toma-m5a97:~$
Are you looking to setup a security camera system? Because you could use linux + usb webcam + motion.
Motion will output video/images to a folder when motion is detected by the webcam.
If you were to do the encfs example above, install motion and change the output directory in the motion config file to ~/decrypted anytime a picture was taken it would be automatically encrypted and synced to your dropbox. hows that for a solution?
thx tom, that will do fine