Securing Confidential Data For Distributed Software Development Teams: Encrypted Container File

Tobias J. Bauer,Andreas Aßmuth
2024-07-12
Abstract:In the context of modern software engineering, there is a trend towards Cloud-native software development involving international teams with members from all over the world. Cloud-based version management services like GitHub are commonly used for source code and other files. However, a challenge arises when developers from different companies or organizations share the platform, as sensitive data should be encrypted to restrict access to certain developers only. This paper discusses existing tools addressing this issue, highlighting their shortcomings. The authors propose their own solution, Encrypted Container Files, designed to overcome the deficiencies observed in other tools.
Cryptography and Security,Distributed, Parallel, and Cluster Computing,Software Engineering
What problem does this paper attempt to address?
### Problems the Paper Attempts to Solve The paper primarily addresses the issue of securely managing and storing sensitive data in distributed software development teams. Specifically: 1. **Background**: - Modern software engineering trends towards cloud-native development, involving international teams with members from around the world. - Common cloud version control systems (such as GitHub) are used to manage source code and other files. - When developers from different companies or organizations share the same platform, it is necessary to encrypt sensitive data to restrict access. 2. **Problems with Existing Tools**: - The paper discusses the methods used by existing tools (such as jak, git-crypt, etc.) to handle this issue and points out their shortcomings: - jak uses symmetric key encryption for files but does not address the key exchange problem and stores unencrypted sensitive data locally. - git-crypt, although it solves the key exchange problem, uses the same symmetric key for all authorized recipients, making it impossible to distinguish between different authorized recipients. - Directly using PGP/GPG is feasible but becomes very inconvenient and error-prone in multi-recipient scenarios. 3. **Proposed New Solution**: - The authors propose a new solution: Encrypted Container File (ECF), designed to overcome the deficiencies of existing tools. - ECF uses hybrid encryption technology, supports multiple recipients, and allows for flexible addition and removal of recipients while minimizing information leakage to external parties. - ECF also supports custom key sets, allowing different files to have different authorized recipients. From the above analysis, it can be seen that the main goal of the paper is to provide a secure, flexible, and easy-to-use sensitive data management solution in a distributed software development environment.