File Encryption for RDP Redirected Folders

[gabriel sztejnworcel <ga...@gmail.com>]

Hi,

Was there ever a discussion or suggestion to implement encryption for files
transferred in RDP sessions through redirected folders? So that if someone
gets access to the Guacamole server, they won't be able to get these files,
which might contain sensitive information.
I thought of creating a key for each session, when the file is uploaded -
use the key to encrypt it. When the file is read from within the RDP
session - decrypt the requested portion. The encryption itself might be
challenging as it needs to be in parts.

For download - maybe it's possible to stream the file to Guacamole client
immediately and not store it on disk instead of encrypting it.

Wondering if someone ever tried it or if someone else thinks it's useful.

Thanks,
Gabriel

AW: File Encryption for RDP Redirected Folders

[Joachim Lindenberg <gu...@lindenberg.one>]

Hi Gabriel,

imho, asking for encryption via Guacamole or even end users is a dead-end here. Protect the server itself (full encryption close to hardware is always a good idea), and audit administrative access reasonably. Guacamole cannot do better as it would have to store a key somewhere, and end users are notoriously bad in key management.

How do you solve that issue with other shares? I´d be surprised if there are none or that Guacamole is more critical than anything else.

Best Regards,

Joachim

 

Von: gabriel sztejnworcel <> 
Gesendet: Friday, 6 May 2022 21:10
An: user@guacamole.apache.org
Betreff: Re: File Encryption for RDP Redirected Folders

 

Hi Joachim,

 

We use Guacamole with some customizations (code changes). The way we implemented it - the redirected folder is a per-session temporary folder, it has a unique name and it's deleted at the end of the session, so other users in RDP sessions (or even the same user from another session) can't see the files from within the session, but if someone gets access to the server with the right  permissions they would get access to the files, this what we are trying to mitigate.

 

Thanks,

Gabriel

 

On Wed, 4 May 2022 at 17:59, Nick Couchman <vnick@apache.org <ma...@apache.org> > wrote:

On Wed, May 4, 2022 at 10:44 AM Joachim Lindenberg <guacamole@lindenberg.one <ma...@lindenberg.one> > wrote:

Hello Nick & Gabriel,

before thinking about encryption, what is the user and authorization concept for that share? Can every user see and change all other users files? Or are the paths somehow distinct for all users, disallowing sharing? The doc only states, the guacd process needs to be able to read/write the directory, nothing else.

 

It's important to understand that the access to the redirected folder is done by the user running guacd. So, if you point all users to the same exact folder in the redirection, everyone will have access to all of the files. This can be mitigated in a couple of ways:

* Use tokens in Guacamole to point users to their own folders - for example, the path in the redirection could be /files/guacamole/${GUAC_USERNAME}, which means each user logging into Guacamole (not necessarily the remote system) will have their own folder.

* Instead of using folder redirection, use SSH on a server with Samba installed, so you can transparently share that folder both with the remote system (via SMB) and with the Guacamole browser (via SSH).

 

In fact I never enabled that drive, because I never understood and thus referred my users to using standard shares that support ACLs (and all the shares are ultimately protected by Bitlocker, as is my Guacamole setup as it runs on Hyper-V).

 

Yes, folder redirection is different than a file share.

 

 

Thanks for your answer Nick!

It's not so clear to me how this can be implemented only on the remote server side since files are uploaded by Guacamole without any involvement of the remote server, unless it somehow monitors the folder and each time a new file is created it encrypts it immediately.

I will look into it, thanks!

 

Yeah, you're correct about that - it wouldn't work for the remote access from Guacamole (the browser) to the remote server. So, there'd have to be some additional work (coding) done to make it work for both the remote system (server via RDP) and the web browser.

 

-Nick

Re: File Encryption for RDP Redirected Folders

[gabriel sztejnworcel <ga...@gmail.com>]

Hi Joachim,

We use Guacamole with some customizations (code changes). The way we
implemented it - the redirected folder is a per-session temporary folder,
it has a unique name and it's deleted at the end of the session, so other
users in RDP sessions (or even the same user from another session) can't
see the files from within the session, but if someone gets access to the
server with the right  permissions they would get access to the files, this
what we are trying to mitigate.

Thanks,
Gabriel

On Wed, 4 May 2022 at 17:59, Nick Couchman <vn...@apache.org> wrote:

> On Wed, May 4, 2022 at 10:44 AM Joachim Lindenberg
> <gu...@lindenberg.one> wrote:
>
>> Hello Nick & Gabriel,
>>
>> before thinking about encryption, what is the user and authorization
>> concept for that share? Can every user see and change all other users
>> files? Or are the paths somehow distinct for all users, disallowing
>> sharing? The doc only states, the guacd process needs to be able to
>> read/write the directory, nothing else.
>>
>
> It's important to understand that the access to the redirected folder is
> done by the user running guacd. So, if you point all users to the same
> exact folder in the redirection, everyone will have access to all of the
> files. This can be mitigated in a couple of ways:
> * Use tokens in Guacamole to point users to their own folders -
> for example, the path in the redirection could be
> /files/guacamole/${GUAC_USERNAME}, which means each user logging into
> Guacamole (not necessarily the remote system) will have their own folder.
> * Instead of using folder redirection, use SSH on a server with Samba
> installed, so you can transparently share that folder both with the remote
> system (via SMB) and with the Guacamole browser (via SSH).
>
>
>> In fact I never enabled that drive, because I never understood and thus
>> referred my users to using standard shares that support ACLs (and all the
>> shares are ultimately protected by Bitlocker, as is my Guacamole setup as
>> it runs on Hyper-V).
>>
>
> Yes, folder redirection is different than a file share.
>
>
>>
>>
>> Thanks for your answer Nick!
>>
>> It's not so clear to me how this can be implemented only on the remote
>> server side since files are uploaded by Guacamole without any involvement
>> of the remote server, unless it somehow monitors the folder and each time a
>> new file is created it encrypts it immediately.
>>
>> I will look into it, thanks!
>>
>
> Yeah, you're correct about that - it wouldn't work for the remote access
> from Guacamole (the browser) to the remote server. So, there'd have to be
> some additional work (coding) done to make it work for both the remote
> system (server via RDP) and the web browser.
>
> -Nick
>

Re: File Encryption for RDP Redirected Folders

[Nick Couchman <vn...@apache.org>]

On Wed, May 4, 2022 at 10:44 AM Joachim Lindenberg <gu...@lindenberg.one>
wrote:

> Hello Nick & Gabriel,
>
> before thinking about encryption, what is the user and authorization
> concept for that share? Can every user see and change all other users
> files? Or are the paths somehow distinct for all users, disallowing
> sharing? The doc only states, the guacd process needs to be able to
> read/write the directory, nothing else.
>

It's important to understand that the access to the redirected folder is
done by the user running guacd. So, if you point all users to the same
exact folder in the redirection, everyone will have access to all of the
files. This can be mitigated in a couple of ways:
* Use tokens in Guacamole to point users to their own folders -
for example, the path in the redirection could be
/files/guacamole/${GUAC_USERNAME}, which means each user logging into
Guacamole (not necessarily the remote system) will have their own folder.
* Instead of using folder redirection, use SSH on a server with Samba
installed, so you can transparently share that folder both with the remote
system (via SMB) and with the Guacamole browser (via SSH).


> In fact I never enabled that drive, because I never understood and thus
> referred my users to using standard shares that support ACLs (and all the
> shares are ultimately protected by Bitlocker, as is my Guacamole setup as
> it runs on Hyper-V).
>

Yes, folder redirection is different than a file share.


>
>
> Thanks for your answer Nick!
>
> It's not so clear to me how this can be implemented only on the remote
> server side since files are uploaded by Guacamole without any involvement
> of the remote server, unless it somehow monitors the folder and each time a
> new file is created it encrypts it immediately.
>
> I will look into it, thanks!
>

Yeah, you're correct about that - it wouldn't work for the remote access
from Guacamole (the browser) to the remote server. So, there'd have to be
some additional work (coding) done to make it work for both the remote
system (server via RDP) and the web browser.

-Nick

AW: File Encryption for RDP Redirected Folders

[Joachim Lindenberg <gu...@lindenberg.one>]

Hello Nick & Gabriel,

before thinking about encryption, what is the user and authorization concept for that share? Can every user see and change all other users files? Or are the paths somehow distinct for all users, disallowing sharing? The doc only states, the guacd process needs to be able to read/write the directory, nothing else.

In fact I never enabled that drive, because I never understood and thus referred my users to using standard shares that support ACLs (and all the shares are ultimately protected by Bitlocker, as is my Guacamole setup as it runs on Hyper-V).

Thanks,

Joachim

 

Von: gabriel sztejnworcel <> 
Gesendet: Wednesday, 4 May 2022 13:16
An: user@guacamole.apache.org
Betreff: Re: File Encryption for RDP Redirected Folders

 

Thanks for your answer Nick!

It's not so clear to me how this can be implemented only on the remote server side since files are uploaded by Guacamole without any involvement of the remote server, unless it somehow monitors the folder and each time a new file is created it encrypts it immediately.

I will look into it, thanks!

 

On Wed, 4 May 2022 at 00:04, Nick Couchman <vnick@apache.org <ma...@apache.org> > wrote:

On Tue, May 3, 2022 at 3:50 PM gabriel sztejnworcel <gabriel.560@gmail.com <ma...@gmail.com> > wrote:

Hi,

 

Was there ever a discussion or suggestion to implement encryption for files transferred in RDP sessions through redirected folders? So that if someone gets access to the Guacamole server, they won't be able to get these files, which might contain sensitive information.

I thought of creating a key for each session, when the file is uploaded - use the key to encrypt it. When the file is read from within the RDP session - decrypt the requested portion. The encryption itself might be challenging as it needs to be in parts.

 

For download - maybe it's possible to stream the file to Guacamole client immediately and not store it on disk instead of encrypting it.

 

Wondering if someone ever tried it or if someone else thinks it's useful.

 

 

Well, you could do this entirely on the remote desktop side and it shouldn't be a problem, you'd just have to install some sort of encryption software that encrypts the files before they land on the redirected folder. The redirected folder is really just an internal file share presented by the RDP client (\\tsclient\share <file://tsclient/share> ), so you just need some way to enable, encourage, and/or enforce encryption on the RDS host. It's been a little while since I messed around with client encryption software, but back in the day there were Open Source items like TrueCrypt and VeraCrypt that could do this cross-platform, and I know there are also commercial solutions. While this method is somewhat disruptive - it means additional software/steps for the user - it is the most secure, as it allows for encryption on a per-user basis, which means that no one, not even the root user of the guacd server, can decrypt the files.

 

Beyond that I suppose guacd could be extended to support transparent encryption of the files as they land; however, this would mean that the encryption keys for the files would be stored on the guacd server, so if someone compromised that server, they could still get access to the files and decrypt them. I think some filesystems - like ZFS - support transparent at-rest encryption and can manage access to keys, use hardware keys, etc., so there may be some possibilities, there, as well. This is a bit out of my areas of experience/expertise, though.

 

-Nick

Re: File Encryption for RDP Redirected Folders

[gabriel sztejnworcel <ga...@gmail.com>]

Thanks for your answer Nick!
It's not so clear to me how this can be implemented only on the remote
server side since files are uploaded by Guacamole without any involvement
of the remote server, unless it somehow monitors the folder and each time a
new file is created it encrypts it immediately.
I will look into it, thanks!

On Wed, 4 May 2022 at 00:04, Nick Couchman <vn...@apache.org> wrote:

> On Tue, May 3, 2022 at 3:50 PM gabriel sztejnworcel <ga...@gmail.com>
> wrote:
>
>> Hi,
>>
>> Was there ever a discussion or suggestion to implement encryption for
>> files transferred in RDP sessions through redirected folders? So that if
>> someone gets access to the Guacamole server, they won't be able to get
>> these files, which might contain sensitive information.
>> I thought of creating a key for each session, when the file is uploaded -
>> use the key to encrypt it. When the file is read from within the RDP
>> session - decrypt the requested portion. The encryption itself might be
>> challenging as it needs to be in parts.
>>
>> For download - maybe it's possible to stream the file to Guacamole client
>> immediately and not store it on disk instead of encrypting it.
>>
>> Wondering if someone ever tried it or if someone else thinks it's useful.
>>
>>
> Well, you could do this entirely on the remote desktop side and it
> shouldn't be a problem, you'd just have to install some sort of encryption
> software that encrypts the files before they land on the redirected folder.
> The redirected folder is really just an internal file share presented by
> the RDP client (\\tsclient\share), so you just need some way to enable,
> encourage, and/or enforce encryption on the RDS host. It's been a little
> while since I messed around with client encryption software, but back in
> the day there were Open Source items like TrueCrypt and VeraCrypt that
> could do this cross-platform, and I know there are also commercial
> solutions. While this method is somewhat disruptive - it means additional
> software/steps for the user - it is the most secure, as it allows for
> encryption on a per-user basis, which means that no one, not even the root
> user of the guacd server, can decrypt the files.
>
> Beyond that I suppose guacd could be extended to support transparent
> encryption of the files as they land; however, this would mean that the
> encryption keys for the files would be stored on the guacd server, so if
> someone compromised that server, they could still get access to the files
> and decrypt them. I think some filesystems - like ZFS - support transparent
> at-rest encryption and can manage access to keys, use hardware keys, etc.,
> so there may be some possibilities, there, as well. This is a bit out of my
> areas of experience/expertise, though.
>
> -Nick
>

Re: File Encryption for RDP Redirected Folders

[Nick Couchman <vn...@apache.org>]

On Tue, May 3, 2022 at 3:50 PM gabriel sztejnworcel <ga...@gmail.com>
wrote:

> Hi,
>
> Was there ever a discussion or suggestion to implement encryption for
> files transferred in RDP sessions through redirected folders? So that if
> someone gets access to the Guacamole server, they won't be able to get
> these files, which might contain sensitive information.
> I thought of creating a key for each session, when the file is uploaded -
> use the key to encrypt it. When the file is read from within the RDP
> session - decrypt the requested portion. The encryption itself might be
> challenging as it needs to be in parts.
>
> For download - maybe it's possible to stream the file to Guacamole client
> immediately and not store it on disk instead of encrypting it.
>
> Wondering if someone ever tried it or if someone else thinks it's useful.
>
>
Well, you could do this entirely on the remote desktop side and it
shouldn't be a problem, you'd just have to install some sort of encryption
software that encrypts the files before they land on the redirected folder.
The redirected folder is really just an internal file share presented by
the RDP client (\\tsclient\share), so you just need some way to enable,
encourage, and/or enforce encryption on the RDS host. It's been a little
while since I messed around with client encryption software, but back in
the day there were Open Source items like TrueCrypt and VeraCrypt that
could do this cross-platform, and I know there are also commercial
solutions. While this method is somewhat disruptive - it means additional
software/steps for the user - it is the most secure, as it allows for
encryption on a per-user basis, which means that no one, not even the root
user of the guacd server, can decrypt the files.

Beyond that I suppose guacd could be extended to support transparent
encryption of the files as they land; however, this would mean that the
encryption keys for the files would be stored on the guacd server, so if
someone compromised that server, they could still get access to the files
and decrypt them. I think some filesystems - like ZFS - support transparent
at-rest encryption and can manage access to keys, use hardware keys, etc.,
so there may be some possibilities, there, as well. This is a bit out of my
areas of experience/expertise, though.

-Nick