
Ask HN: Encryption for blog posts on static sites? - dhruvkar
Is there a simple way to add encryption to a static site (e.g. hugo, jekyll etc.) and it can be decrypted on the browser without a backend?<p>This would be for something like a personal journal or close-friends only blog posts while keep the rest of the site open.
======
jamieweb
Just a pointer, but something like Plainsight[1] may give you some ideas.

You could agree on a source text with your friends in an out-of-band way, then
everyone just has to go and download whatever book/song/etc that you agree on
in order to decode your articles.

Anybody who isn't 'in-the-know' will just see gibberish.

[1] [https://github.com/rw/plainsight](https://github.com/rw/plainsight)

~~~
dhruvkar
This is very close to what I was looking for, thank you!

------
sdwedq
You can use Netlify for this: [https://docs.netlify.com/visitor-
access/password-protection/...](https://docs.netlify.com/visitor-
access/password-protection/#site-wide-protection)

~~~
dhruvkar
I'm using netlify and I know that they offer this on paid plans.

However, I'm looking for something without vendor lock-in. So moving to AWS or
github pages won't affect functionality.

------
gabrielsroka
Encryption can be broken offline. You may want to put a server in front of it
to block access to the raw encrypted material.

That said, I'm using the Stanford JavaScript Crypto Library on
[https://github.com/gabrielsroka/gabrielsroka.github.io/blob/...](https://github.com/gabrielsroka/gabrielsroka.github.io/blob/master/webpages/secret.htm)

What about authentication? Maybe putting it on a Google doc and sharing it
with certain people?

~~~
dhruvkar
Thanks! Don't need authentication, these are just personal blog posts. If I go
down that route, might as well set up a server.

The crypto library and the html snippet are helpful, thanks!

------
newswasboring
Wouldn't adding a lets encrypt certificate to enable https do exactly that?

~~~
dhruvkar
hmmm, I phrased the question incorrectly I think. Bear with me, I may not have
the right vocabulary for this:

Let's say I have a blog post. I want it scrambled (encrypted) unless a
password is entered on the client side so it can be read. I would give out the
password to specific people only, who'd be able to read it.

Could an SSL certificate be used for that?

~~~
Tomte
No, you'd probably need some Javascript.

But why not this: publish the blog post the normal way and configure the web
server to only serve it to people with a proper username/password (HTTP Basic
Authentication).

All browsers and web servers let you do that.

For Apache, see this example:
[https://httpd.apache.org/docs/current/howto/htaccess.html#au...](https://httpd.apache.org/docs/current/howto/htaccess.html#auth)

~~~
dhruvkar
want it for a static site, no access to the backend. I dont want to run a full
blown website, just want access control. possible?

~~~
Tomte
Sure, if your web hoster allows .htaccess files (most do). You just put that
file next to your HTML files.

~~~
dhruvkar
Have you ever hosted something github pages or netlify? Those are the
situations I'm talking about, where an htaccess or any server side access
control wouldn't work.

~~~
Tomte
No, I haven't. But since you did not tell anyone about that requirement, how
was I to guess it?

~~~
dhruvkar
You're right. I assumed mentioning static site with Hugo or Jekyll was enough.

To clarify, it would be a static site with hosting on something like netlify
or github or gitlab pages, where you don't have access to the server.

