5. QKDLite for Secure File Transfer

QKDLite can be configured to expose a website for users to send files encrypted with QKD quantum secret keys over the internet. The key highlight is that the quantum secret keys are established securely over the QKD network and never transmitted over the internet. The workflow is generally as follows:

1. The sender uploads a file to QKDLite for Secure File Transfer website.

2. The file is encrypted with a (one-time use) QKD quantum encryption key in the QKDLite node.

3. The sender downloads the encrypted file from the website.

4. The sender emails the encrypted file over the internet to the receiver.

5. The receiver uploads the encrypted file to QKDLite for Secure File Transfer website.

6. The file is decrypted with a (one-time use) QKD quantum decryption key in the QKDLite node.

7. The receiver downloads the decrypted file from the website.

This section is a guide to setting up and enabling the QKDLite for Secure File Transfer website on the QKDLite node.

5.1. Enable QKDLite for Secure File Transfer Web Server

In this section, we will configure QKDLite for Secure File Transfer to start automatically in the background when QKDLite node is rebooted.

Configuration steps:

1. Start Express.js app

   Listing 5.1  console

   cd ~/node_file_transfer/src
   node app.js &
   

5.2. Verify QKDLite for Secure File Transfer Web Server

Once the web server has been configured to start, you can verify it is indeed running with the following steps.

1. Check the status of the service. Ensure that the service is active (running).

2. Check that QKDLite for Secure File Transfer responds to a HTTP request.

   Listing 5.2  console

   curl http://localhost:3000
   

   You should see the following HTTP response.

   Listing 5.3  console

   <!DOCTYPE html>
   <html lang="en">
   <head>
      <link rel="stylesheet" type="text/css" href="style.css">
   </head>
   <body>
   
   <!-- header -->
   <header>
      <img id="logo" src="pQCee_logo.png" alt="pqcee logo">
      <h1>QKDLite for Secure File Transfer</h1>
   </header>
   
   <!-- About QKDLite -->
   ...
   </body>
   </html>
   

3. (Optional) If required, you can stop the web server by entering fg followed by Ctrl + C.

5.3. Enable HTTPS with Caddy

One approach to enable HTTPS for the web service to be accessible over the internet is to use Caddy with Lets Encrypt certificates.

Configuration steps:

1. Install Caddy on the QKDLite node.

   Listing 5.4  console

   sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
   curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' \
      | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
   curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' \
      | sudo tee /etc/apt/sources.list.d/caddy-stable.list
   sudo apt update
   sudo apt install caddy
   

2. Replace the Caddyfile in /etc/caddy/ directory with the following file contents to forward traffic from port 443 to port 3000. As the file belongs to root user, you may need to use sudo vim Caddyfile to edit it.

   Listing 5.5  /etc/caddy/Caddyfile

   # Global options for pQCee QKDLite node
   {
     # Disable HTTP-to-HTTPS redirects, not listening on port 80
     auto_https disable_redirects
   }
   
   # Site options for pQCee Web Service: QKDLite for Secure File Transfer
   qkdlite.pqcee.com:443 {
      # Security: remove "Server:Caddy" field from HTTP response
      header -Server
   
      # Forward traffic to localhost port 3000
      reverse_proxy localhost:3000 {
         # Backend transport communication
         transport http {
            # Security: disable HTTP compression
            compression off
         }
      }
   
      # TLS protocol options
      tls {
         # Use only TLSv1.3
         protocols tls1.3 tls1.3
   
         # Use x25519 to facilitate quantum-transition
         curves x25519
      }
   }
   

   In the above example, caddy will redirect traffic to localhost and domain name qkdlite.pqcee.com. For your deployment, please update your domain name accordingly.

3. Ensure updated file content is formatted to the required Caddyfile style.

   Listing 5.6  console

   cd /etc/caddy/
   sudo caddy fmt --overwrite
   

4. Reload the caddy service (without shutting down caddy) to reflect the updates to the Caddyfile configuration.

   Listing 5.7  console

   sudo systemctl reload caddy
   

5.4. Verify Caddy is running

1. Check the status of the caddy service.

   Listing 5.8  console

   systemctl status caddy
   

   Tip

   If caddy is inactive, start the caddy service.

   Listing 5.9  console

   sudo systemctl start caddy
   

   For troubleshooting, you can use netstat to check existing open ports in the Linux system.

   Listing 5.10  console

   sudo netstat -tunpl
   

   Any stdout output from the service is written to journald. If you encounter issues with the service, you can check the logs to troubleshoot.

   Listing 5.11  console

   journalctl -xeu caddy.service
   

2. Check that port 443 responds to a HTTP request.

   Listing 5.12  console

   curl https://qkdlite.pqcee.com
   

   You should see the same HTTP response as displayed by port 3000 earlier.

3. In your web browser, you will be able to browse the domain name specified in the Caddyfile. For example, https://qkdlite.pqcee.com.

4. (Optional) If required, you can stop the service.

   Listing 5.13  console

   sudo systemctl stop caddy