Connections and Sharing
How to create a connection between you and another user to share data
Below the guide using the CLI we have a more in depth explanation of how sharing works
After successfully creating an item in your user's Vault from the Quickstart section, it's now time to create another user called Bob.
meeco users:create -p supersecretpassword > .bob.yaml
Using the CLI again, we're going to make a connection configuration file between Alice and Bob
meeco connections:create-config --from .alice.yaml --to .bob.yaml > .connection_config.yaml
This creates a file called
.connection_config.yaml which we will open and edit the fromName and toName keys. Let's make it between Alice and Bob. Next, it's time to use the CLI again to create the connection between the two users.meeco connections:create -c .connection_config.yaml > .connection.yaml
This generates the keypairs for the connection, creates and accepts the invitation for the two users.
Now, we're ready to select an item from Alice's vault and share it with Bob.
First, we'll need to create the share template with the CLI.
meeco shares:create-config --from .alice.yaml -c .connection.yaml -i .item.yaml > .share_config.yaml
After this configuration file is created, we can create the share between the two users:
meeco shares:create -c .share_config.yaml > .share.yaml
The output is a new shares item:
shares:
- id: 0f894916-852a-4682-bd49-0783ab58e1c0
owner_id: ab9f9fce-db0b-4384-a221-617efa80dba7
sender_id: ab9f9fce-db0b-4384-a221-617efa80dba7
recipient_id: ce021e77-a66f-4fae-a150-d3a4a6e1a7f9
acceptance_required: acceptance_not_required
item_id: bae62ab6-ea95-4037-8f6c-3708c81b2d77
slot_id: null
public_key: "-----BEGIN PUBLIC KEY-----\r
...
-----END PUBLIC KEY-----\r\n"
...
sharing_mode: owner
keypair_external_id: f0ab31a1-c95d-463d-b6b1-1a72e1f56444
encrypted_dek: Rsa4096.Jm9R1Ve2KcOLc4-HkZkjviB8HXBSlVQLfTlUJ-xcGRRklBp-Od-g2YjareSFwMorzVrtVDKWg8QWkB3iDAn_g9pG3c-kY1Le5Gb86VTO3hhx74jImf_iw29VUUcAsfRQH2u69X5byyYYlg827nMpT8CgN4P3USsMsMMsXrppu7ONGwk-xxItJtr8S3cONECp5L_4cbcR4IDbGBpVGZMdU5X6YU3ZZ7z-fi5wF5tRp6krR4V8rqbJOlyURY2xwj3ihoGtPc6Dbef_H6viFEgl00gyDegXKgJ8IisES_6_cyq7ooiGbux5oTgyg4tTIA40Lf65JLzVujosFC56EatRumR-YretG_Dkr61PQfuGN2zpTOGpZzypnc-HJc-GCHWGLU1wqwhcBY3NNoM1NvmdWGRQV2Vrtt3rhBCM2Nt-E7lCyQTX45qGXG-q-nL2b6l_DfCfp6O5s4hAYVoBQgDLCexl1YFb0reNm1Ol3rQ_hjpPn9LHAgE93Mdq7b04-sBmbNF54oLyrAneZu8NOle1-dioK13dLNooSm_O5MuRdnjyaJZH5zcsN-mEeSzsTHBymiMitet1-YOoZrenLDUaaFpWj6fCgwW6louU7u8PWq8U40TV15c8TndQAVFyRhfPav8HHLhOJmOCa1HaqdGZ8vuw1efJW3rtOU2ye31JQIw=.QQUAAAAA
terms: null
created_at: 2020-09-24T07:15:03.315Z
expires_at: null
The CLI sets up a private encryption space between Alice and Bob and then shares the item.
We never created an item for the Bob, so we know that the following command will show the item that has been shared with Bob.
meeco shares:get-incoming -a .bob.yaml <SHARE_ID>
The following is the share information, as well as the item that was shared:
share:
id: 0f894916-852a-4682-bd49-0783ab58e1c0
owner_id: ab9f9fce-db0b-4384-a221-617efa80dba7
sender_id: ab9f9fce-db0b-4384-a221-617efa80dba7
recipient_id: ce021e77-a66f-4fae-a150-d3a4a6e1a7f9
acceptance_required: acceptance_not_required
item_id: bae62ab6-ea95-4037-8f6c-3708c81b2d77
slot_id: null
...
sharing_mode: owner
keypair_external_id: f0ab31a1-c95d-463d-b6b1-1a72e1f56444
encrypted_dek: Rsa4096.Jm9R1Ve2KcOLc4-HkZkjviB8HXBSlVQLfTlUJ-xcGRRklBp-Od-g2YjareSFwMorzVrtVDKWg8QWkB3iDAn_g9pG3c-kY1Le5Gb86VTO3hhx74jImf_iw29VUUcAsfRQH2u69X5byyYYlg827nMpT8CgN4P3USsMsMMsXrppu7ONGwk-xxItJtr8S3cONECp5L_4cbcR4IDbGBpVGZMdU5X6YU3ZZ7z-fi5wF5tRp6krR4V8rqbJOlyURY2xwj3ihoGtPc6Dbef_H6viFEgl00gyDegXKgJ8IisES_6_cyq7ooiGbux5oTgyg4tTIA40Lf65JLzVujosFC56EatRumR-YretG_Dkr61PQfuGN2zpTOGpZzypnc-HJc-GCHWGLU1wqwhcBY3NNoM1NvmdWGRQV2Vrtt3rhBCM2Nt-E7lCyQTX45qGXG-q-nL2b6l_DfCfp6O5s4hAYVoBQgDLCexl1YFb0reNm1Ol3rQ_hjpPn9LHAgE93Mdq7b04-sBmbNF54oLyrAneZu8NOle1-dioK13dLNooSm_O5MuRdnjyaJZH5zcsN-mEeSzsTHBymiMitet1-YOoZrenLDUaaFpWj6fCgwW6louU7u8PWq8U40TV15c8TndQAVFyRhfPav8HHLhOJmOCa1HaqdGZ8vuw1efJW3rtOU2ye31JQIw=.QQUAAAAA
terms: null
created_at: 2020-09-24T07:15:03.315Z
expires_at: null
associations_to: []
associations: []
attachments: []
classification_nodes:
- id: 8670d4c6-8d68-49a4-bd21-0fc8cefa705d
name: vehicle
label: Vehicle
description: null
ordinal: 3
background_color: null
image: https://sandbox.meeco.me/vault/images/ff1c25e9-530a-4103-b649-986631bcAAAAA
scheme: meeco
item:
id: a3f632c8-f80f-47aa-9e26-aab15ad9ed63
own: false
name: a_new_item
label: A New Item
description: null
created_at: 2020-09-24T07:15:03.452Z
item_template_id: 0c385f1d-8825-4932-a6ab-846178b816e4
ordinal: 0
visible: true
updated_at: 2020-09-24T07:15:03.493Z
...
Running
meeco shares:list -a .bob.yaml will show all the shares information that Bob has received, even from other users.meeco shares:list -t outgoing -a .alice.yaml will show all the shares that are outgoing from Alice to other users.If you're looking for a way to delete the share, you can do that as either user with
meeco shares:delete -a .alice.yaml <SHARE_ID> or meeco shares:delete -a .bob.yaml <SHARE_ID>Well done - you've now created a connection between two users, and shared an item!
All user data stored in the Vault is encrypted and can only be decrypted and read by the user.
However, the Meeco platform makes it possible for one user to share items with another user. We will cover this process and its steps in this guide.
In summary, the sharer will generate a DEK (data encryption key) specifically for the purpose of this share and re-encrypt the shared item with this key. In order to share the DEK, Public Key cryptography is used: the sharer will encrypt the DEK with a Public Key of the share recipient, so only the share recipient can decrypt the DEK with their Private Key, and then use the DEK to decrypt the item.
Let's dive into it.
Before anything can be shared, 2 Users need to establish a connection. In order to create a connection in this example, User 1 (Alice) will invite User 2 (Bob)
The process can be described in the following sequence diagram:
At step (1) User 1 generates a Keypair which will be used for inviting another user, and later for the key exchange.
Steps 2-4 are part of the standard procedure used for storing Keypairs in the Keystore. If there is a Keypair, it is encrypted by the Key Encryption Key (KEK) and stored in the Keystore. Please read guide Setting Up Access to the Vault and Keystore if you haven't read it yet.
In steps 5 and 6,
stores the Public Key. In steps 5-7 User 1 creates an invitation using the following as input:
- email of the user that User 1 wants to connect to (User 2)
- the Public Key
After step 7 the Vault sends an invitation email to User 2.
In this section we'll describe the scenario when User 2 accepts the invitation from User 1.
This process can be described in the following sequence diagram:
Most of these steps are the the same steps of User 1 in the previous section: just like User 1, User 2 generates a Keypair for this connection (step 9), encrypts it and stores in the Keystore (steps 10-12), and publishes the Public Key in the Vault (steps 13-14).
The most important step is a call to create a connection as step 13. The parameters of the call are the invitation ID and the invitation token.
The most important results after these two sections are as follows:
- The connection between User 1 and User 2 has now been established
- User 1 has access to the Public Key of User 2 on the connection record
- User 2 has access to the Public Key of User 1 on the connection record
In this section, to create a share, User 1 will generate a DEK dedicated to this share, re-encrypt a item and store it as a share, and share the DEK with User2, encrypted by the Public Key of User 2.
Creation of a share can be described in the following sequence diagram:
At step 19 User 1 generates a DEK. This DEK will be used to encrypt the shared item. We also need to have the key readable by User 2, so at step 20 we encrypt the same DEK with the Public Key of User 2.
In steps 21-23 User 1 encrypts the item data with the shared DEK and creates a Share record.
The main results of these steps are as follows:
- A DEK has been created and encrypted with User 2's public key
- A Share record has been created in the Vault with the encrypted DEK, and it is linked to the connection between User 1 and User 2
Reading of the share can be described in the following sequence diagram:
First in step 24 User 2 retrieves a list of all items both his own and shared incoming.
If there is a new share User 2 needs to decrypt and read, in step 26 User 2 requests the share details.
User 2 also retrieves the DEK in steps 26-27, decrypts it with their Private Key in step 28 and decrypts the share in step 29.
Last modified 1yr ago