Rodri I created one plugin and installed it on my local instance still getting same error. Below is the extension code.

<?xml version="1.0"?>
<component name="com.softcell.dms.encryption">

  <extension target="org.nuxeo.ecm.core.blob.DocumentBlobManager" point="configuration">
    <!-- 
    You might find some help here:
    https://explorer.nuxeo.com/nuxeo/site/distribution/latest/viewExtensionPoint/org.nuxeo.ecm.core.blob.DocumentBlobManager%2d%2dconfiguration
    -->

    <blobdispatcher>
      <class>org.nuxeo.ecm.core.blob.DefaultBlobDispatcher</class>
      <property name="dc:source=secret">encrypted</property>
      <property name="default">default</property>
    </blobdispatcher>
  </extension>

  <extension target="org.nuxeo.ecm.core.blob.BlobManager" point="configuration">
    <blobprovider name="encrypted">
      <class>org.nuxeo.ecm.core.blob.binary.AESBinaryManager</class>
      <property name="key">password=password</property>
    </blobprovider>
  </extension>

</component>

Rodri I check the source code of Nuxeo and I came to know that it is throwing error on below code

protected void decrypt(InputStream in, OutputStream out) throws IOException {
        byte[] magic = new byte[FILE_MAGIC.length];
        IOUtils.read(in, magic);
        if (!Arrays.equals(magic, FILE_MAGIC)) {
            throw new IOException("Invalid file (bad magic)");
        }

where, protected static final byte[] FILE_MAGIC = new byte[] { 'N', 'U', 'X', 'E', 'O', 'C', 'R', 'Y', 'P', 'T' };

You have to take in mind that, with the code above, you are saying that only documents with the property "dc:source" equals to "secret" are encrypted. This means that, if you have some documents with this dc:source=secret but the binary it is not encrypted, nuxeo will throw an error (the piece of code you pasted in the last message is where nuxeo decrypt files. It throws that error when the file is not encrypted). Make sure all the files with dc:source=secret are actually encrypted.

Hi Rodri ,

Let's say i have created a new property or metadata as dms:encrypted. and configured as <property name="dms:encrypted=true">encrypted</property>

so if i am creating a document { "entity-type":"document", "name":"monkey", "type":"Picture", "path":"/FVSG/SME/LAP", "properties":{

  "dms:encrypted":true,

"file:content":{

     "upload-batch":"batchId-39c3877e-f435-4394-a338-036ee40e7456",
     "upload-fileId":"0"
  }

} }

So by this means i understand that this document should be encrypted while created and decrypted the same way while downloading.

so if i am creating the doc it gives invalid type(Bad Magic) as if it a new property it does not having any doc which is in plain format

Hello.

If you define the "encrypted" BlobProvider with the "dms:encrypted=true" condition in the BlobDispatcher, then the document you are trying to create (with "dms:encrypted":true) should be encrypted. If the document is not being encrypted, it will be because there is something wrong with the BlobProvider or BlobDispatcher definition. If you are not working with Nuxeo Studio, did you add the xml file contribution to the MANIFEST file?

If the document is created correctly but it is giving errors while visualizing it, get the digest of the document (you can check if with the "file:content:digest" property) and search for it in the filesystem. Open it with a text editor like Notepad++ and check if the first words are "NUXEOCRYPT". If they are, the binary is encrypted. If not, it will confirm us there is something wrong with the BlobProvider/BlobDispatcher.

Anyway, I have seen you are using BatchUpload. I am not sure if this configuration is working with BatchUploading, as you are storing the file in Nuxeo before knowing if it should be encrypted or not.

Regards.

Hi Rodri, Can you please reproduce this issue on your end. I have checked when i create doc it create tmp file named create_312334y34 which have NUXEOCRPYT in it . and put the file /data/binaries/be/f7 which is not having NUXEOCYPT. It iterates in getBinary method around 3 times may be because of thumbnail and small image creation but . when the decrypt method calls i am not having any while in temp folder which is having NUXECRYPT. that means it is not putting the same encrypted file in to binaries/data folder.

Hi Rodri , I am able to encrypt the documents by creating a different repository for encrypted documents only. But I am still getting 'default' repository in the URLs created by Nuxeo for uploaded document.

You can get more details on below question. https://answers.nuxeo.com/general/q/ec0c1d8451d740b1bac9b228f5826ffa/Not-getting-correct-repository-name-in-document-URLs

It seems there's a confusion in these comments about Repository vs Blob Provider. A Repository is the toplevel entity in which documents (and their metadata) are stored. A Blob Provider is an entity that knows how to store and retrieve blobs. By default there is one Blob Provider per Repository, but using a Blob Dispatcher you can associate rules to a Repository to dispatch blobs to one of several Blob Providers. See https://doc.nuxeo.com/nxdoc/file-storage-configuration/#blob-dispatcher for more.