encrypt

package

v0.0.0-...-c426cd6 Latest Latest Go to latest Published: Apr 22, 2020 License: Apache-2.0 Imports: 14 Imported by: 3

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/asjoyner/shade

Links

Open Source Insights

Documentation ¶

Overview ¶

Package encrypt is an interface to manage encrypted storage backends. It presents an unencrypted interface to callers by storing bytes in the provided Child client, encrypting the bytes written to it, and decrypting them again when requested.

File objects are encrypted with an RSA public key provided in the config. If an RSA private key is provided, GetFile and ListFiles will perform the reverse operation.

Chunk objects are encrypted with 256-bit AES-GCM using an AES key stored in the shade.File struct and a random 96-bit nonce stored with each shade.Chunk struct.

The sha256sum of each Chunk is AES encrypted with the same key as the contents and a nonce which is stored in the corresponding shade.File struct. Unlike the Chunk, the nonce cannot be stored appended to the sha256sum, because it must be known in advance to retrieve the chunk. Nb: It is important not to reuse a nonce with the same key, thus callers must reset the Nonce in a shade.Chunk when updating the Sha256sum value.

The sha256sum of File objects are not encrypted. The struct contains sufficient internal randomness (Nonces of shade.Chunk objects, mtime, etc) that the sum does not leak information about the contents of the file.

Index ¶

func Decrypt(ciphertext []byte, key *[32]byte) (plaintext []byte, err error)
func Encrypt(plaintext []byte, key *[32]byte) (ciphertext []byte, err error)
func GetAllEncryptedSums(f *shade.File) (encryptedSums [][]byte, err error)
func GetEncryptedSum(sha256sum []byte, f *shade.File) (encryptedSum []byte, err error)
func NewClient(c drive.Config) (drive.Client, error)
type Drive

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func Decrypt ¶

func Decrypt(ciphertext []byte, key *[32]byte) (plaintext []byte, err error)

Decrypt decrypts data using 256-bit AES-GCM. This both hides the content of the data and provides a check that it hasn't been altered. Expects input form nonce|ciphertext|tag where '|' indicates concatenation.

func Encrypt ¶

func Encrypt(plaintext []byte, key *[32]byte) (ciphertext []byte, err error)

Encrypt encrypts data using 256-bit AES-GCM. This both hides the content of the data and provides a check that it hasn't been altered. Output takes the form nonce|ciphertext|tag where '|' indicates concatenation.

func GetAllEncryptedSums ¶

func GetAllEncryptedSums(f *shade.File) (encryptedSums [][]byte, err error)

GetAllEncryptedSums returns the encrypted sums for each chunk in f.

func GetEncryptedSum ¶

func GetEncryptedSum(sha256sum []byte, f *shade.File) (encryptedSum []byte, err error)

GetEncryptedSum calculates the encrypted sha256sum that a chunk will be stored at, for a given chunk in a given file. It is used both by PutChunk to store the chunk, and later by GetChunk to find it again.

func NewClient ¶

func NewClient(c drive.Config) (drive.Client, error)

NewClient performs sanity checking and returns a Drive client.

Types ¶

type Drive ¶

type Drive struct {
	// contains filtered or unexported fields
}

Drive protects the contents of a single child drive.Client. It can return a config which describes only its name.

If any of its clients are not Local(), it reports itself as not Local() by returning false. If any of its clients are Persistent(), it requires writes to at least one of those backends to succeed, and reports itself as Persistent().

func (*Drive) GetChunk ¶

func (s *Drive) GetChunk(sha256sum []byte, f *shade.File) ([]byte, error)

GetChunk retrieves and decrypts the chunk with a given SHA-256 sum. It reverses the process of PutChunk, in particular, leveraging the stored Nonce to be able to find the encrypted sha256sum in the child client.

func (*Drive) GetConfig ¶

func (s *Drive) GetConfig() drive.Config

GetConfig returns the config used to initialize this client.

func (*Drive) GetFile ¶

func (s *Drive) GetFile(sha256sum []byte) ([]byte, error)

GetFile retrieves the file object described by the sha256sum, decrypts it, and returns it to the caller. It reverses the process described in PutFile.

func (*Drive) ListFiles ¶

func (s *Drive) ListFiles() ([][]byte, error)

ListFiles retrieves all of the File objects known to the child client. The return is a list of sha256sums of the file object. The keys may be passed to GetFile() to retrieve the corresponding shade.File.

func (*Drive) Local ¶

func (s *Drive) Local() bool

Local returns true only if the configured backend is local to this machine.

func (*Drive) NewChunkLister ¶

func (s *Drive) NewChunkLister() drive.ChunkLister

NewChunkLister allows listing all the chunks in the encrypted client.

Nb: The returned chunk *sums* are encrypted. They cannot be decrypted without the AesKey of the associated shade.File object. The encrypted chunk sums can still be useful, when combined with the shade/drive/encrypt module's function to get the encrypted chunk sums of a given file. This allows you to determine if all of the chunks of a given file are durably stored, combined with the list of all files to identify unreferenced chunks, etc.

func (*Drive) Persistent ¶

func (s *Drive) Persistent() bool

Persistent returns true if the configured storage backend is Persistent().

func (*Drive) PutChunk ¶

func (s *Drive) PutChunk(sha256sum []byte, chunkBytes []byte, f *shade.File) error

PutChunk writes a chunk associated with a SHA-256 sum. It uses the following process:

From the provided shade.File struct, retrieve:
the AES key of the File
the Nonce of the associated shade.Chunk struct
encrypt the sha256sum with the provided Key and Nonce
encrypt the bytes with the provided Key and a unique Nonce
store the encrypted bytes at the encrypted sum in the child client

func (*Drive) PutFile ¶

func (s *Drive) PutFile(sha256sum, f []byte) error

PutFile encrypts and writes the metadata describing a new file. It uses the following process:

generates a new 256-bit AES encryption key
uses the new key to Encrypt() the provided File's bytes
RSA encrypts the AES key (but not the sha256sum of the File's bytes)
bundles the encrypted key and encrypted bytes as an encryptedObj
marshals the encryptedObj as JSON and store it in the child client, at the value of the sha256sum of the plaintext

func (*Drive) ReleaseChunk ¶

func (s *Drive) ReleaseChunk(sha256sum []byte) error

ReleaseChunk calls ReleaseChunk on the provided child client.

Nb: This sha256sm is passed unmodified to the client, thus you should pass the encrypted sha256sum as returned by the ChunkLister interface. See NewChunkLister for more detail.

func (*Drive) ReleaseFile ¶

func (s *Drive) ReleaseFile(sha256sum []byte) error

ReleaseFile calls ReleaseFile on the provided child client.

Nb: This expects the same (raw) sha256sum returned by ListFiles. The sums that identify file objects are not encrypted.

func (*Drive) Warm ¶

func (s *Drive) Warm(chunks [][]byte, f *shade.File)

Warm translates the upcoming chunk sums into their encrypted sums, and passes them along the child client.

Source Files ¶

View all Source files

encrypt.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL