
Show HN: sdees – serverless decentralized editing of encrypted stuff - qrv3w
https://github.com/schollz/sdees
======
Kubuxu
Friend of mine is working on Cryptpad [1] which is encrypted collaborative web
editor. There are multiple connection modes, most common websockets relay
server but he is also working on WebRTC transport.

Everything is modular so you can create encrypted applications as you see fit
by changing transport, storage, crypto and frontend.See for example [3].

In case of using a relay server the content is encrypted so the server doesn't
know what the content is.

The source is open on AGPL license.

\---

[1]: [https://beta.cryptpad.fr](https://beta.cryptpad.fr)

[2]: [https://github.com/xwiki-labs/cryptpad/](https://github.com/xwiki-
labs/cryptpad/)

[3]:
[https://beta.cryptpad.fr/poll/#173f2db91c58169a22a005ebb85c2...](https://beta.cryptpad.fr/poll/#173f2db91c58169a22a005ebb85c2377SLzcS+YkTZUkoXYpftGVvzVC)

~~~
lgessler
Thanks for sharing this. I had an old hackathon project that seemed cool but
didn't really have a good application (essentially, end-to-end encrypted
Socket.IO implemented on top of Keybase filesystem:
[https://github.com/lgessler/kbrpc](https://github.com/lgessler/kbrpc)). Maybe
I'll try to get it to work with Cryptpad.

------
antocv
How is this serverless when there is a server called remote in the example?

Am I the only one around here? [http://i3.kym-
cdn.com/entries/icons/original/000/010/856/4fc...](http://i3.kym-
cdn.com/entries/icons/original/000/010/856/4fcdf2e118613355b500ba5d.jpg)

~~~
olalonde
As much as it pains me to say it, that ship sailed around the time AWS Lambda
was announced. "Serverless" now means "a server you don't need to think
about".

------
olalonde
Almost buzzword compliant, just missing the "written in Go".

~~~
creshal
I thought it's Lisp week?

------
throwawayReply
Amusing to see a comment mention 14 work factor and the code is 12 rounds.

Code and comments get out of sync so quickly.

Out of interest, why the static salt in addition to bcrypt?

~~~
arkadiyt
Not the author but if I had to take a guess I'd say they might have been
trying to pepper the hash:
[https://en.wikipedia.org/wiki/Pepper_(cryptography)](https://en.wikipedia.org/wiki/Pepper_\(cryptography\)).

It's not particularly useful here since if someone got access to your remote
encrypted file and knew it was made with sdees, the pepper is public. However
if the value was configurable by the user then it could provide an extra layer
of protection against someone brute forcing the hash and getting your
password.

A better approach would be to not store a hash of the password at all. The
author uses it to check that the user supplied the correct password when
attempting decryption - instead you can decrypt the file using whatever
password the user provides (getting either correct or garbage output back),
and check for a magic value in the output.

~~~
qrv3w
Thanks! I will do that.

------
cyphar
Why not use GPG directly? I get the wish to not add more binary dependencies,
but the recent couple of issues with Go's math and crypto libraries doesn't
fill me with confidence. Not to mention that there's no real benefit to adding
your own wrappers around the crypto primitives when GPG already exists.

~~~
qrv3w
Initially I did. However, I tend to use lots of Windows computers, so I really
wanted something where I didn't have to install Cygwin+GPG+rsync each time.

The Windows release also bundles vim into the binary so you don't even have to
have vim installed if you're using Windows!

~~~
xori
And as a Windows user I thank you.

~~~
srpeck
I had the same need, so I created a zero-install, client-side encrypted,
browser-based editor using SJCL+CodeMirror in Vim mode:
[https://github.com/srpeck/encryptedgist](https://github.com/srpeck/encryptedgist)

------
133777
> "The remote computer is used only for file storage and does not require any
> server-side code."

And thats serverless?

~~~
throwawayReply
You're wondering what serverless means while I'm trying to work how how a
central file-store is "decentralized".

------
_paulc
(In .vimrc) set cryptmethod=blowfish2

vim -x scp://.../...

~~~
ende42
I was excited for a moment. Then found out neovim doesn't support -x. And this
is why:
[https://github.com/neovim/neovim/issues/694](https://github.com/neovim/neovim/issues/694)
(tldr; vim encryption is unsecure and thus removed from neovim for the time
being). Would have been nice, though.

------
wtbob
In emacs, one could use TRAMP and EasyPG Assistant:

    
    
        C-x C-f /rsync:user@host:/path/to/file
    

One could of course also configure stuff such that one could type quite a bit
less.

------
avindroth
This is cool. I have been planning encrypting my personal data, but didn't
realize the process of timestamping was this difficult.

Glad I found the solution with the problem.

------
kellros
Nice. Slightly disappointed that the file being edited in the demo wasn't
called "nuts"
([https://raw.githubusercontent.com/schollz/sdees/master/brand...](https://raw.githubusercontent.com/schollz/sdees/master/branding/help2.gif))

------
orliesaurus
i was expecting something using IPFS :D

~~~
chme
Yes, or something like syncthing

------
mrmondo
Please stop using the term serverless, it may be decentralised but it is not
serverless, so if you mean decentralised please use that term instead.

------
repomies691
How is this "serverless"? Quite clearly I have to configure a remote...

