Below the guide using the CLI we have a more in depth explanation of how sharing works
After successfully creating an item in your user's Vault from the Quickstart section, it's now time to create another user called Bob.
meeco users:create -p supersecretpassword > .bob.yaml
We used the same password as in the Quickstart example, in case you were wondering.
Using the CLI again, we're going to make a connection configuration file between Alice and Bob
meeco connections:create-config --from .alice.yaml --to .bob.yaml > .connection_config.yaml
This creates a file called .connection_config.yaml
which we will open and edit the fromName
and toName
keys. Let's make it between Alice and Bob. Next, it's time to use the CLI again to create the connection between the two users.
meeco connections:create -c .connection_config.yaml
This generates the keypairs for the connection, creates and accepts the invitation for the two users.
Now, we're ready to select an item from Alice's vault and share it with Bob.
First, we'll need to create the share template with the CLI. You can see the items Alice has by useing the items:list
command:
meeco items:list -a .alice.yaml
This will give you all the information about the items Alice has in her vault. The response will look like this:
kind: Itemsspec:- id: ed6ac62d-4f9e-4ec3-94f4-9bd1166942cename: deloreanlabel: DeLoreandescription: nullcreated_at: "2020-03-25T09:31:19.959Z"item_template_id: 61516c6f-81df-4c86-96df-8af915f0aec0ordinal: 1visible: trueupdated_at: "2020-03-25T09:31:20.701Z"item_template_label: Vehicleshareable: falseme: falsebackground_color: nullimage: https://api-sandbox.meeco.me/images/ef8ef92e-e4be-4f50-bfce-774a608098caimage_background_colour: nullitem_image: https://api-sandbox.meeco.me/images/ef8ef92e-e4be-4f50-bfce-774a608098caitem_image_background_colour: nullslot_image: nullslot_image_background_colour: nullcategory_image: nullcategory_image_background_colour: nullclassification_node_ids: []category_label: nullassociation_ids: []associations_to_ids: []slot_ids:- 00e99d0d-d1be-469c-aa91-71e9f47333b1- 38d6b94c-a3da-4b82-942f-5b7941e0bd7d- 94e422b9-b0fb-4b36-bfa9-f2234bf03d69- ec6c3f97-b806-4bed-9da3-46a81635c0e3- 2c833498-9dfa-4667-94cc-d39c719cab86- b583b85e-4e98-49b5-adcd-185b31cc8d90- bb1ff70c-6bf6-47ba-9a8a-d916740c55a6- f24572c4-0d7b-404d-82f5-8fec593592fc- 08471b2d-ac3f-44bc-8932-4faa81366178
Once you have have the id
of the item, you're also going to need the id
of the connection between Alice and Bob. Grab it like this:
$ meeco connections:list -a .alice.yaml- name: Bobconnection:own:id: 326614d7-661d-4179-87cf-6457e196ba71encrypted_recipient_name: Aes256Gcm.eKpo.QUAAAAAFaXYADAAAAACeBsQCvNOYxdbTrcIFYXQAEAAAAADqDBwkna5leso8mvM5Lq6BAmFkAAUAAABub25lAAA=integration_data: "{}"connection_type: nulluser_image: nulluser_type: humanuser_public_key: "-----BEGIN PUBLIC KEY-----\r...-----END PUBLIC KEY-----\r\n"user_keypair_external_id: b9d112d7-c823-477a-9bea-36b22cb575aethe_other_user:id: 65165dbc-91e7-47c5-9721-5d155a35029aintegration_data: "{}"connection_type: nulluser_id: ce021e77-a66f-4fae-a150-d3a4a6e1a7f9user_image: nulluser_type: humanuser_public_key: "-----BEGIN PUBLIC KEY-----\r...-----END PUBLIC KEY-----\r\n"user_keypair_external_id: f0ab31a1-c95d-463d-b6b1-1a72e1f56444
So now you have the item id
and the connection id
- which we'll call the connectionId
in the following command:
meeco shares:create-config --from .alice.yaml --connectionId <ID_OF_CONNECTION> -i <ID_OF_ITEM> > .share_config.yaml
After this configuration file is created, we can create the share between the two users:
meeco shares:create -c .share_config.yaml
The output is a new shares item:
shares:- id: 0f894916-852a-4682-bd49-0783ab58e1c0owner_id: ab9f9fce-db0b-4384-a221-617efa80dba7sender_id: ab9f9fce-db0b-4384-a221-617efa80dba7recipient_id: ce021e77-a66f-4fae-a150-d3a4a6e1a7f9acceptance_required: acceptance_not_requireditem_id: bae62ab6-ea95-4037-8f6c-3708c81b2d77slot_id: nullpublic_key: "-----BEGIN PUBLIC KEY-----\r...-----END PUBLIC KEY-----\r\n"...sharing_mode: ownerkeypair_external_id: f0ab31a1-c95d-463d-b6b1-1a72e1f56444encrypted_dek: Rsa4096.Jm9R1Ve2KcOLc4-HkZkjviB8HXBSlVQLfTlUJ-xcGRRklBp-Od-g2YjareSFwMorzVrtVDKWg8QWkB3iDAn_g9pG3c-kY1Le5Gb86VTO3hhx74jImf_iw29VUUcAsfRQH2u69X5byyYYlg827nMpT8CgN4P3USsMsMMsXrppu7ONGwk-xxItJtr8S3cONECp5L_4cbcR4IDbGBpVGZMdU5X6YU3ZZ7z-fi5wF5tRp6krR4V8rqbJOlyURY2xwj3ihoGtPc6Dbef_H6viFEgl00gyDegXKgJ8IisES_6_cyq7ooiGbux5oTgyg4tTIA40Lf65JLzVujosFC56EatRumR-YretG_Dkr61PQfuGN2zpTOGpZzypnc-HJc-GCHWGLU1wqwhcBY3NNoM1NvmdWGRQV2Vrtt3rhBCM2Nt-E7lCyQTX45qGXG-q-nL2b6l_DfCfp6O5s4hAYVoBQgDLCexl1YFb0reNm1Ol3rQ_hjpPn9LHAgE93Mdq7b04-sBmbNF54oLyrAneZu8NOle1-dioK13dLNooSm_O5MuRdnjyaJZH5zcsN-mEeSzsTHBymiMitet1-YOoZrenLDUaaFpWj6fCgwW6louU7u8PWq8U40TV15c8TndQAVFyRhfPav8HHLhOJmOCa1HaqdGZ8vuw1efJW3rtOU2ye31JQIw=.QQUAAAAAterms: nullcreated_at: 2020-09-24T07:15:03.315Zexpires_at: null
The CLI sets up a private encryption space between Alice and Bob and then shares the item.
We never created an item for the Bob, so we know that the following command will show the item that has been shared with Bob.
$ meeco shares:get-incoming -a .bob.yaml <SHARE_ID>
The following is the share information, as well as the item that was shared:
share:id: 0f894916-852a-4682-bd49-0783ab58e1c0owner_id: ab9f9fce-db0b-4384-a221-617efa80dba7sender_id: ab9f9fce-db0b-4384-a221-617efa80dba7recipient_id: ce021e77-a66f-4fae-a150-d3a4a6e1a7f9acceptance_required: acceptance_not_requireditem_id: bae62ab6-ea95-4037-8f6c-3708c81b2d77slot_id: null...sharing_mode: ownerkeypair_external_id: f0ab31a1-c95d-463d-b6b1-1a72e1f56444encrypted_dek: Rsa4096.Jm9R1Ve2KcOLc4-HkZkjviB8HXBSlVQLfTlUJ-xcGRRklBp-Od-g2YjareSFwMorzVrtVDKWg8QWkB3iDAn_g9pG3c-kY1Le5Gb86VTO3hhx74jImf_iw29VUUcAsfRQH2u69X5byyYYlg827nMpT8CgN4P3USsMsMMsXrppu7ONGwk-xxItJtr8S3cONECp5L_4cbcR4IDbGBpVGZMdU5X6YU3ZZ7z-fi5wF5tRp6krR4V8rqbJOlyURY2xwj3ihoGtPc6Dbef_H6viFEgl00gyDegXKgJ8IisES_6_cyq7ooiGbux5oTgyg4tTIA40Lf65JLzVujosFC56EatRumR-YretG_Dkr61PQfuGN2zpTOGpZzypnc-HJc-GCHWGLU1wqwhcBY3NNoM1NvmdWGRQV2Vrtt3rhBCM2Nt-E7lCyQTX45qGXG-q-nL2b6l_DfCfp6O5s4hAYVoBQgDLCexl1YFb0reNm1Ol3rQ_hjpPn9LHAgE93Mdq7b04-sBmbNF54oLyrAneZu8NOle1-dioK13dLNooSm_O5MuRdnjyaJZH5zcsN-mEeSzsTHBymiMitet1-YOoZrenLDUaaFpWj6fCgwW6louU7u8PWq8U40TV15c8TndQAVFyRhfPav8HHLhOJmOCa1HaqdGZ8vuw1efJW3rtOU2ye31JQIw=.QQUAAAAAterms: nullcreated_at: 2020-09-24T07:15:03.315Zexpires_at: nullassociations_to: []associations: []attachments: []classification_nodes:- id: 8670d4c6-8d68-49a4-bd21-0fc8cefa705dname: vehiclelabel: Vehicledescription: nullordinal: 3background_color: nullimage: https://sandbox.meeco.me/vault/images/ff1c25e9-530a-4103-b649-986631bcAAAAAscheme: meecoitem:id: a3f632c8-f80f-47aa-9e26-aab15ad9ed63own: falsename: a_new_itemlabel: A New Itemdescription: nullcreated_at: 2020-09-24T07:15:03.452Zitem_template_id: 0c385f1d-8825-4932-a6ab-846178b816e4ordinal: 0visible: trueupdated_at: 2020-09-24T07:15:03.493Z...
Running meeco shares:list -a .bob.yaml
will show all the shares information that Bob has received, even from other users.
meeco shares:list -t outgoing -a .alice.yaml
will show all the shares that are outgoing from Alice to other users.
If you're looking for a way to delete the share, you can do that as either user with meeco shares:delete -a .alice.yaml <SHARE_ID>
or `meeco shares:delete -a .alice.yaml <SHARE_ID>
Well done - you've now created a connection between two users, and shared an item!
All user data stored in the Vault is encrypted and can only be decrypted and read by the user.
However, the Meeco platform makes it possible for one user to share items with another user. We will cover this process and its steps in this guide.
In summary, the sharer will generate a DEK (data encryption key) specifically for the purpose of this share and re-encrypt the shared item with this key. In order to share the DEK, Public Key cryptography is used: the sharer will encrypt the DEK with a Public Key of the share recipient, so only the share recipient can decrypt the DEK with their Private Key, and then use the DEK to decrypt the item.
Let's dive into it.
Before anything can be shared, 2 Users need to establish a connection. In order to create a connection in this example, User 1 (Alice) will invite User 2 (Bob)
The process can be described in the following sequence diagram:
At step (1) User 1 generates a Keypair which will be used for inviting another user, and later for the key exchange.
Steps 2-4 are part of the standard procedure used for storing Keypairs in the Keystore. If there is a Keypair, it is encrypted by the Key Encryption Key (KEK) and stored in the Keystore. Please read guide Setting Up Access to the Vault and Keystore if you haven't read it yet.
In steps 5 and 6,
stores the Public Key. In steps 5-7 User 1 creates an invitation using the following as input:
email of the user that User 1 wants to connect to (User 2)
the Public Key
After step 7 the Vault sends an invitation email to User 2.
In this section we'll describe the scenario when User 2 accepts the invitation from User 1.
This process can be described in the following sequence diagram:
Most of these steps are the the same steps of User 1 in the previous section: just like User 1, User 2 generates a Keypair for this connection (step 9), encrypts it and stores in the Keystore (steps 10-12), and publishes the Public Key in the Vault (steps 13-14).
The most important step is a call to create a connection as step 13. The parameters of the call are the invitation ID and the invitation token.
The most important results after these two sections are as follows:
The connection between User 1 and User 2 has now been established
User 1 has access to the Public Key of User 2 on the connection record
User 2 has access to the Public Key of User 1 on the connection record
In this section, to create a share, User 1 will generate a DEK dedicated to this share, re-encrypt a item and store it as a share, and share the DEK with User2, encrypted by the Public Key of User 2.
Creation of a share can be described in the following sequence diagram:
At step 19 User 1 generates a DEK. This DEK will be used to encrypt the shared item. We also need to have the key readable by User 2, so at step 20 we encrypt the same DEK with the Public Key of User 2.
In steps 21-23 User 1 encrypts the item data with the shared DEK and creates a Share record.
The main results of these steps are as follows:
A DEK has been created and encrypted with User 2's public key
A Share record has been created in the Vault with the encrypted DEK, and it is linked to the connection between User 1 and User 2
Reading of the share can be described in the following sequence diagram:
First in step 24 User 2 retrieves a list of all items both his own and shared incoming.
If there is a new share User 2 needs to decrypt and read, in step 26 User 2 requests the share details.
User 2 also retrieves the DEK in steps 26-27, decrypts it with their Private Key in step 28 and decrypts the share in step 29.