My Delphi 2010 application (currently under development) encrypts user files and uploads them to EC2 and then to S3. Users can upload their files using a secure website (sort of like Dropbox, but in a different context, on the market, use, etc.)
I use RSA encryption. I give my users the opportunity to choose whether they want to use their private keys (generated locally) or use a shared key (located in the cloud).
When working on file uploads, I got 4 options that I must handle correctly:
If the user uses his own private encryption key:
a. Download from Delphi / Client file: the file is decrypted on the user computer after downloading
b. Downloading from the site / PHP: it is impossible (directly) if I do not give the user the opportunity to download a small utility that allows him / her to provide his secret key locally and decrypt the file after downloading.
Pros / cons: Safe, but not simple / too restrictive and impossible to do on mobile phones (?)
User selects my shared encryption private key (located in the cloud)
a. Download from Delphi / Client: the file is first decrypted using PHP on EC2 (then served to the user), in which case the download process can become very slow if many users download files (unlikely) or if the decrypted files are too large.
b. Download from site / PHP: same as (a)
Pros / cons: Directly or simply working, but can lead to huge CPU utilization, unacceptable delay when loading (especially if the file size in the question is huge).
My question is in two parts:
1) Is there a better strategy for handling such a scenario? and
2) What would you do (from the point of view of the encryption / download processing strategy ) if you want to offer your users the opportunity to choose between private and public encryption keys?
PS. I am using Delphi 2010 (client) with PHP 5.3 running on an EC2 instance, using the latest version of Amazon Linux 2012 build
EDIT Traffic is always encrypted, so HTTPS only!
EDIT 2 I use GPG for encryption / decryption
source share