Encrypted and password protected static site


#1

Our requirement tells us that we need to serve webpages offline on a portable device/laptop to the user. However, the served content needs to be encrypted and protected by a username/password login, so that it cannot be read from the file system.

Is this feasible to do with hugo or any other static site generator?


#2

Probably not, because if Hugo served encrypted and password protected its webpages on localhost, you’d still have the raw content files unencrypted on disk.

(One might say that Hugo should encrypt those files also, but then Markdown editors cannot work with those files anymore, making Hugo considerably less flexible than it currently is.)

Hopefully other community members can offer practical software or CMS recommendations here. :slightly_smiling:


#3

I’ve never tried this, but:

You could probably serve the files hugo generates via apache from an encrypted volume, using http://ecryptfs.org/.

Then, protect the folder being served via .htpasswd so that you’re prompted for the credentials when you access.

Of course, viewing the content should be done over https so the stream of data from webserver to your client is encrypted, and you can fake an ssl cert for localhost.

As for protecting the markdown files, again, you could probably use ecryptfs or something like a truecrypt volume, which you mount with a passphrase, then make a static link to (i.e. content for instance). That way you just edit as usual, but connected to a mounted encrypted volume.

But this is all basically outside hugo anyway, and just my wild guess. Too many moving parts if you ask me.


#4

You could perhaps hack a sqlite-based CMS to use Zetetic SQLCipher.

https://www.zetetic.net/


#5

Viewing it in a web browser is reading from the file system, so I am guessing you mean protected from view, unless credentials are provided. Hugo doesn’t do that, and no other site generator I know does that either; it is an extremely limited use case, so that won’t be a sought after feature.

It is possible you can use a separate system to handle the encryption, and still generate and sync the data to a version controlled site based on Hugo, et al.

I am curious, can you tell us more about your use case? Is this guverment sekrets(!) or just corporate IP control?


#6

Thanks for all the answers. It seems that static sites are not a good solution for my problem. @maiki, I can’t really say much about the use case.


#7

Guvment sekrets!


#8

Been thinking more about this, and if it were me, I’d probably push for supplying the content as a PDF, because you can sign, encrypt and password protect.

Services exist to do it (http://pdfmyurl.com/entire-website-to-pdf) so, there must be a reasonable technical method for converting a whole site to PDF once it’s built.

Hugo and Pandoc?


#9

Thanks, @RickCogley. It’s a great idea. I will look into it.


#10

As a note, both Pelican and Hexo static site generators have plugins which allow you to encrypt page content using cryptoJS. While probably not providing state-actor level encryption (anyone could read the content if they had access to your git repository), it may suffice for many people’s needs.

Here’s the Pelican-based version: https://github.com/mindcruzer/pelican-encrypt-content

Here’s the Hexo-based version: https://github.com/MikeCoder/hexo-blog-encrypt

The latter offers a sample page to show how it works in practice: https://mhexo.github.io/example-site/2016/10/26/HexoBlogEncrpyt/

I do not know enough about golang to know whether it would be possible to implement this feature in hugo. I can see it as being useful for sites that want to have basic level security on some pages (for example, a theater that wants to offer ticket discounts to this weekend’s show, or to a condo association with a home page where they want to have certain pages protected with basic security)