AspEncrypt can be used in conjunction with AspUpload, our industry-standard file upload component, to implement a truly secure web-based file management system. The code samples in this section assume your system has the AspUpload component installed. A free trial copy of AspUpload can be downloaded from www.aspupload.com.

  What is Form-based Uploading?

Form based uploading (also known as browser-based uploading) is the process of sending files from a client machine to the web server with a browser via an HTML form. This HTML form must have a special attribute, ENCTYPE="multipart/form-data", and contain one or more items of the type <INPUT TYPE=FILE> through which files are selected for uploading.

In an ASP environment, your web server must use a server component to capture files uploaded using a browser, such as Persits Software AspUpload available from www.aspupload.com. With this component, file uploading becomes a trivial task:

<!--This is a file upload form--> <FORM METHOD="POST" ENCTYPE="multipart/form-data" ACTION="UploadScript.asp"> <INPUT TYPE=FILE NAME="FILE1"> <INPUT TYPE=FILE NAME="FILE2"> <INPUT TYPE=FILE NAME="FILE3"> <INPUT TYPE=SUBMIT VALUE="Upload!"> </FORM>

<% ' Corresponding upload script UploadScript.asp Set Upload = Server.CreateObject("Persits.Upload") Upload.Save "c:\uploaddir" %>

This script captures one or multiple files uploaded with a browser and saves them under their original names in the specified directory.

AspUpload is also capable of capturing text items on the upload form, save uploaded files in the database as blobs, limit the size of files being uploaded, etc. Visit AspUpload.com for a complete list of features.

  Securing File Uploads

If your files contain sensitive information the upload form and script must run under the Secure Socket Layer (SSL) for protection against eavesdropping. However, once the uploaded files are captured by server-side script and saved to the server's hard drive they are no longer protected. Although you can encrypt the files after they are uploaded, it is not entirely secure, as it is theoretically possible for an intruder to get hold of the files while they are being encrypted.

With the help of AspEncrypt's CryptoKey object, AspUpload is capable of uploading and encrypting files in one step thus making your Web-based file management system truly secure. The following code snippet captures the uploaded files and at the same time encrypts them using a password-derived key:

' Upload script SecureUpload1.asp <% Set Upload = Server.CreateObject("Persits.Upload") Set CM = Server.CreateObject("Persits.CryptoManager") Set Context = CM.OpenContext("", True ) Set Key = Context.GenerateKeyFromPassword("My secret password") ' use defaults Upload.SaveEncrypted "c:\upload", Key, "xxx" For Each File in Upload.Files    Response.Write "Name=" & File.Path & "; Size=" & File.Size & "<BR>" Next %>

Notice that instead of Upload.Save we call Upload.SaveEncrypted and pass an encryption key to it as the second argument. The third argument is an extension that will be appended to the original file name to form the name of an encrypted file. For example, the file myfile.txt will be encrypted into the file myfile.txt.xxx. This way the original file extension is preserved.

The last three lines loop through the Upload.Files collection and display the paths and sizes of the uploaded files.

  Uploading an Encryption Password along with the Files

AspUpload allows you to upload a text password along with the files. This password will be used by the component to derive an encryption key which will be applied to the files being uploaded. This functionality requires a simple protocol: your HTML form must have an <INPUT TYPE=TEXT NAME="ENCRYPTPASSWORD"> or <INPUT TYPE=HIDDEN NAME="ENCRYPTPASSWORD"> item through which the password is specified, and this item must appear in the form before all <INPUT TYPE=FILE> items. The name ENCRYPTPASSWORD is part of the protocol. For example:

<!-- SecureForm2.htm --> <FORM METHOD="POST" ENCTYPE="multipart/form-data" ACTION="SecureUpload2.asp"> <INPUT TYPE=TEXT NAME="ENCRYPTPASSWORD"> <INPUT TYPE=FILE NAME="FILE1"> <INPUT TYPE=FILE NAME="FILE2"> <INPUT TYPE=FILE NAME="FILE3"> <INPUT TYPE=SUBMIT VALUE="Upload!"> </FORM>

Although AspUpload generates a key internally based on the specified password, your script must still provide the SaveEncrypted method with an empty key object as it is this object that gives AspUpload its encryption capabilities:

<% ' Upload script SecureUpload2.asp Set Upload = Server.CreateObject("Persits.Upload") Set CM = Server.CreateObject("Persits.CryptoManager") Set Context = CM.OpenContext("", True ) Set Key = Context.CreateEmptyKey ' use defaults Upload.SaveEncrypted "c:\upload", Key, "xxx" %>

The method CreateEmptyKey accepts the same optional arguments as GenerateKey. The difference is that the former does not actually create a key inside the key object. AspUpload does it internally in the SaveEncrypted method based on the password supplied via the ENCRYPTPASSWORD form item. Notice that even if a user does not supply a password the encryption key will be derived from an empty string.

AspUpload enables users to download a file from the web server even if this file is not located in a virtual directory. Here is how:

<!--Put this link on your HTML page--> <A HREF="Download.asp">Download File<A>

<% ' Download.asp Set Upload = Server.CreateObject("Persits.Upload") Upload.SendBinary "c:\dir\myfile.txt", True, "application/x-gzip" %>

If an encrypted file is to be downloaded, we may choose to decrypt it before sending it to the client browser. AspUpload enables you to perform both tasks in one step thus making a download truly secure:

<% ' Download.asp Set Upload = Server.CreateObject("Persits.Upload") Set CM = Server.CreateObject("Persits.CryptoManager") Set Context = CM.OpenContext( "", True ) Set Key = Context.GenerateKeyFromPassword("My secret password") Upload.DecryptAndSendBinary "c:\upload\somefile.txt.xxx", _       True, "application/x-gzip", Key, True %>

The DecryptAndSendBinary method is similar to SendBinary except that it decrypts the file being downloaded using the specified key (the fourth argument). The last argument specified whether the .xxx file extension should be removed from the file name. For example, if the file somefile.txt.xxx is being downloaded and the last argument is set to True, the user will be offered to save the file under the name somefile.txt.