Skip to content

Instantly share code, notes, and snippets.

@viklund
Last active December 3, 2019 13:37
Show Gist options
  • Save viklund/f9695b31e3a4613de4b20ad0fdde9c25 to your computer and use it in GitHub Desktop.
Save viklund/f9695b31e3a4613de4b20ad0fdde9c25 to your computer and use it in GitHub Desktop.
Crypt4gh docker experiments

Build and run the container

docker build . -t test-c4gh

docker run --rm -ti test-c4gh

About htslib-crypt4gh

This is implemented in such a way that there's an agent that all the keys are registered in that is then used by samtools if the file is specified as crypt4gh:<filename>. When launching the agent it will also automatically just launch a subshell that you are then placed in but with a few environmental variables set that contain the connection information to the agent. This is similar to how the ssh-agent works except that the ssh-agent don't spawn the subshell for you, you have to supply that as an argument to it (i.e. ssh-aget bash or whatever). Additionally, there's no logic in the agent to detect whether it has been launched already so adding keys to the agent will spawn a new nested subshell, just type C-d until the dream ends.

Creating a key with htslib-crypt4gh

crypt4gh-agent -g testkey

Creates testkey.pub and testkey.sec

Add a key to the htslib-crypt4gh agent

crypt4gh-agent -k <keyfile> [-k <more>]

Any number of k's possible. But only the first one(s) are used for encryption.

Create an encrypted samfile with samtools

samtools view -h <file> -o crypt4gh:<outfile>

For example in the container

samtools view -h samtools/examples/toy.sam -o crypt4gh:out.sam.crypt

Decrypting with python

crypt4gh decrypt --sk testkey.sec < out.sam.crypt

Decrypting with java

java -jar /usr/local/bin/crypt4gh.jar -sk testkey.sec -d out.sam.crypt
FROM debian:10-slim
## Otherwise Java won't install
RUN mkdir -p /usr/share/man/man1
RUN apt-get update \
&& apt-get install -y gnupg2
## This is to get openjdk-11-jre to install on -slim
RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EA8CACC073C3DB2A
# Just blindly accept the license agreement
RUN echo "deb http://ppa.launchpad.net/linuxuprising/java/ubuntu bionic main" > /etc/apt/sources.list.d/linuxuprising-java.list
RUN echo oracle-java13-installer shared/accepted-oracle-license-v1-2 select true | /usr/bin/debconf-set-selections
RUN apt-get update \
&& apt-get install -y \
curl git autoconf make gcc \
zlib1g-dev libbz2-dev liblzma-dev libcurl4-openssl-dev \
libsodium-dev \
libncurses5-dev \
python3 python3-pip \
oracle-java13-installer
RUN mkdir -p /opt/work
WORKDIR /opt/work
RUN git clone https://github.com/samtools/htslib-crypt4gh.git \
&& git clone https://github.com/samtools/htslib.git \
&& git clone https://github.com/samtools/samtools.git
RUN cd htslib \
&& autoheader \
&& autoconf \
&& ./configure --enable-plugins \
&& make \
&& make install
RUN cd htslib-crypt4gh \
&& autoheader \
&& autoconf \
&& ./configure \
&& make \
&& make install
RUN cd samtools \
&& autoheader \
&& autoconf \
&& ./configure \
&& make \
&& make install
RUN pip3 install git+https://github.com/EGA-archive/crypt4gh.git
RUN curl -Ls https://github.com/uio-bmi/crypt4gh/releases/download/v2.3.0/crypt4gh.jar > /usr/local/bin/crypt4gh.jar
ENV HTS_PATH=/usr/local/libexec/htslib
ARG LEGA_GID=1000
RUN addgroup --gid ${LEGA_GID} lega && \
adduser --disabled-login --gid ${LEGA_GID} lega
RUN chown -R lega:lega /opt/work
USER lega
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment