Encryption tool

The goal of this cross-platform command line executable is to be usable on any kind of processing pipeline.

Note that several processes can be active in parallel if necessary.

Name: lcpencrypt

Accepted source formats

The encryption tool currently supports:

• EPUB 2
• EPUB 3 (including with embedded multimedia content)
• PDF
• Readium Web Publications (specification) archived using the Readium Packaging Format (specification). This includes Audiobooks (specification), Digital visual Narratives (specification) and (X)HTML based Publications (specification).
• W3C Audiobooks (specification) packaged as LPF files ((specification))

Recommended Use

The encryption tool stores the encrypted file in its target storage location and notifies the license server of this new encrypted publication.

Parameters:

• input: file path of the source file. The utility can load files from a file system or an http(s) server (uses GET).
• [-contentid]: unique identifier of the encrypted publication. If omitted, a uuid is generated.
• [-storage]: target location of the encrypted publication, without filename. File system path or S3 bucket. See below some details on the format.
• [-url]: base url associated with the storage, without filename.
• [-filename]:optional, file name of the encrypted publication; if omitted, contentid is used as a file name.
• [-temp]: optional, working folder for temporary files.
• [-lcpsv]: optional, http endpoint of the license server (lcpserver), used for notifying that new content is available.
• [-login]: required if -lcpsv is used; login used to connect to the license server.
• [-password]: required if -lcpsv is used; password used to connect to the license server.

Format of the -storage parameter

If the encrypted publication is stored in an S3 bucket, the syntax is "s3:" + the AWS region (e.g. "eu-west-3") + ":" + the S3 bucket name (e.g. "lcp-storage").

Processing

The encryption tool will:

• Load the source file, exits on error if the file is not found or is not parsable.
• If the content identifier is not set, generate a unique publication identifier.
• Generate a content encryption key.
• Encrypt the source content, exits on error if the process aborts.
• Upload the protected file to the target location, exits on error if the process aborts.
• Optionally, send a notification to the license server.

The license server will:

• Store the unique identifier and the url of the encrypted file in its database.
• Use this information to populate the licenses it generates.
• Not be able to return an encrypted publication or generate a licensed publication, as it does not manage the stored publication.

Legacy Use

The encryption tool stores the encrypted file in a temporary storage location and notifies the LCP license server of this new encrypted publication. The license server moves the encrypted file to its final storage location, which is static and set by configuration.

Parameters:

• input: file path of the source file. The utility can load files from a file system or an http(s) server (uses GET).
• [-contentid]: optional, unique identifier of the encrypted publication. if omitted a uuid is generated.
• [-output]: temporary location of the encrypted publication. This is a directory path, without filename. This path must be directly accessible from the license server (i.e. it must be on a shared network drive). If not set, the encrypted publication will be temporarily created into the current directory.
• [-temp]: optional, working folder for temporary files.
• [-lcpsv]: optional, http endpoint of the license server (lcpserver), used for notifying that new content is available.
• [-login]: required if -lcpsv is used; login used to connect to the license server.
• [-password]: required if -lcpsv is used; password used to connect to the license server.

Processing

The encryption tool will:

• Load the source file, exits on error if the file is not found or is not parsable.
• If the content identifier is not set, generate a unique publication identifier.
• Generate a content encryption key.
• Encrypt the source content, exits on error if the process aborts.
• Upload the protected file to the output directory, exits on error if the process aborts.
• Optionally, send a notification to the license server.

The license server will:

• Move the encrypted file to its target storage location (as per its configuration).
• Store the unique identifier and the name of the encrypted file in its database.
• Use this information and the static configuration of the target url of the publication to populate the licenses it generates.
• Be able to return an encrypted publication and generate a licensed publication.

Format of the JSON payload sent to the license server

The encryption tool is using PUT on /content/ with a json structure as payload:

The json struct contains:

• content-id: content identifier.
• content-encryption-key: content encryption key.
• storage-mode: indication of the way the encrypted content is stored: 0 = not stored yet; 1 = stored on S3; 2 = stored in a file system.
• protected-content-location: absolute URL (cf recommended use) or temporary file path (cf legacy use) of the encrypted publication.
• protected-content-disposition: original file name.
• protected-content-type: media type of the encrypted content.
• protected-content-length: size of the encrypted content.
• protected-content-sha256: hash of the encrypted content.

See the corresponding License Server API method

Samples of use

lcpencrypt -input "~/epubfiles/epub31.epub" -storage "/Users/X/lcp/files/storage" -url "https://edrlab.org/pub/storage/" -lcpsv "http://192.168.0.1:8989" -login "login" -password "password"

lcpencrypt -input "~/epubfiles/epub31.epub" -storage "s3:eu-west-3:lcp-storage" -url "https://lcp-storage.s3.eu-west-3.amazonaws.com"

lcpencrypt -input "~/epubfiles/epub31.epub" -contentid epub31 -output "~/readiumlcp/encfiles/"

Implementation notes

The communication between the utility and the LCP server is currently only protected by the use of https.