metadata

package
v0.2.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 23, 2018 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Overview

Package metadata contains all of the on disk structures. These structures are defined in metadata.proto. The package also contains functions for manipulating these structures, specifically:

  • Reading and Writing the Config file to disk
  • Getting and Setting Policies for directories
  • Reasonable defaults for a Policy's EncryptionOptions

Package metadata is a generated protocol buffer package.

It is generated from these files:

metadata/metadata.proto

It has these top-level messages:

HashingCosts
WrappedKeyData
ProtectorData
EncryptionOptions
WrappedPolicyKey
PolicyData
Config

Index

Constants

View Source
const (
	// DescriptorLen is the length of all Protector and Policy descriptors.
	DescriptorLen = 2 * unix.FS_KEY_DESCRIPTOR_SIZE
	// We always use 256-bit keys internally (compared to 512-bit policy keys).
	InternalKeyLen = 32
	IVLen          = 16
	SaltLen        = 16
	// We use SHA256 for the HMAC, and len(HMAC) == len(hash size).
	HMACLen = sha256.Size
	// PolicyKeyLen is the length of all keys passed directly to the Keyring
	PolicyKeyLen = unix.FS_MAX_KEY_SIZE
)

Lengths for our keys, buffers, and strings used in fscrypt.

Variables

View Source
var (
	// DefaultOptions use the supported encryption modes and max padding.
	DefaultOptions = &EncryptionOptions{
		Padding:   32,
		Contents:  EncryptionOptions_AES_256_XTS,
		Filenames: EncryptionOptions_AES_256_CTS,
	}
	// DefaultSource is the source we use if none is specified.
	DefaultSource = SourceType_custom_passphrase
)
View Source
var (
	ErrEncryptionNotSupported = errors.New("encryption not supported")
	ErrEncryptionNotEnabled   = errors.New("encryption not enabled")
	ErrNotEncrypted           = errors.New("file or directory not encrypted")
	ErrEncrypted              = errors.New("file or directory already encrypted")
	ErrBadEncryptionOptions   = util.SystemError("invalid encryption options provided")
)

Encryption specific errors

View Source
var EncryptionOptions_Mode_name = map[int32]string{
	0: "default",
	1: "AES_256_XTS",
	2: "AES_256_GCM",
	3: "AES_256_CBC",
	4: "AES_256_CTS",
	5: "AES_128_CBC",
	6: "AES_128_CTS",
}
View Source
var EncryptionOptions_Mode_value = map[string]int32{
	"default":     0,
	"AES_256_XTS": 1,
	"AES_256_GCM": 2,
	"AES_256_CBC": 3,
	"AES_256_CTS": 4,
	"AES_128_CBC": 5,
	"AES_128_CTS": 6,
}
View Source
var SourceType_name = map[int32]string{
	0: "default",
	1: "pam_passphrase",
	2: "custom_passphrase",
	3: "raw_key",
}
View Source
var SourceType_value = map[string]int32{
	"default":           0,
	"pam_passphrase":    1,
	"custom_passphrase": 2,
	"raw_key":           3,
}

Functions

func CheckSupport

func CheckSupport(path string) error

CheckSupport returns an error if the filesystem containing path does not support filesystem encryption. This can be for many reasons including an incompatible kernel or filesystem or not enabling the right feature flags.

func SetPolicy

func SetPolicy(path string, data *PolicyData) error

SetPolicy sets up the specified directory to be encrypted with the specified policy. Returns an error if we cannot set the policy for any reason (not a directory, invalid options or KeyDescriptor, etc).

func WriteConfig

func WriteConfig(config *Config, out io.Writer) error

WriteConfig outputs the Config data as nicely formatted JSON

Types

type Config

type Config struct {
	Source        SourceType         `protobuf:"varint,1,opt,name=source,enum=metadata.SourceType" json:"source,omitempty"`
	HashCosts     *HashingCosts      `protobuf:"bytes,2,opt,name=hash_costs,json=hashCosts" json:"hash_costs,omitempty"`
	Compatibility string             `protobuf:"bytes,3,opt,name=compatibility" json:"compatibility,omitempty"`
	Options       *EncryptionOptions `protobuf:"bytes,4,opt,name=options" json:"options,omitempty"`
}

Data stored in the config file

func ReadConfig

func ReadConfig(in io.Reader) (*Config, error)

ReadConfig writes the JSON data into the config structure

func (*Config) CheckValidity

func (c *Config) CheckValidity() error

CheckValidity ensures the Config has all the necessary info for its Source.

func (*Config) Descriptor

func (*Config) Descriptor() ([]byte, []int)

func (*Config) GetCompatibility

func (m *Config) GetCompatibility() string

func (*Config) GetHashCosts

func (m *Config) GetHashCosts() *HashingCosts

func (*Config) GetOptions

func (m *Config) GetOptions() *EncryptionOptions

func (*Config) GetSource

func (m *Config) GetSource() SourceType

func (*Config) HasCompatibilityOption

func (c *Config) HasCompatibilityOption(option string) bool

HasCompatibilityOption returns true if the specified string is in the list of compatibility options. This assumes the compatibility options are in a comma separated string.

func (*Config) ProtoMessage

func (*Config) ProtoMessage()

func (*Config) Reset

func (m *Config) Reset()

func (*Config) String

func (m *Config) String() string

type EncryptionOptions

type EncryptionOptions struct {
	Padding   int64                  `protobuf:"varint,1,opt,name=padding" json:"padding,omitempty"`
	Contents  EncryptionOptions_Mode `protobuf:"varint,2,opt,name=contents,enum=metadata.EncryptionOptions_Mode" json:"contents,omitempty"`
	Filenames EncryptionOptions_Mode `protobuf:"varint,3,opt,name=filenames,enum=metadata.EncryptionOptions_Mode" json:"filenames,omitempty"`
}

Encryption policy specifics, corresponds to the fscrypt_policy struct

func (*EncryptionOptions) CheckValidity

func (e *EncryptionOptions) CheckValidity() error

CheckValidity ensures each of the options is valid.

func (*EncryptionOptions) Descriptor

func (*EncryptionOptions) Descriptor() ([]byte, []int)

func (*EncryptionOptions) GetContents

func (m *EncryptionOptions) GetContents() EncryptionOptions_Mode

func (*EncryptionOptions) GetFilenames

func (m *EncryptionOptions) GetFilenames() EncryptionOptions_Mode

func (*EncryptionOptions) GetPadding

func (m *EncryptionOptions) GetPadding() int64

func (*EncryptionOptions) ProtoMessage

func (*EncryptionOptions) ProtoMessage()

func (*EncryptionOptions) Reset

func (m *EncryptionOptions) Reset()

func (*EncryptionOptions) String

func (m *EncryptionOptions) String() string

type EncryptionOptions_Mode

type EncryptionOptions_Mode int32

Type of encryption; should match declarations of unix.FS_ENCRYPTION_MODE

const (
	EncryptionOptions_default     EncryptionOptions_Mode = 0
	EncryptionOptions_AES_256_XTS EncryptionOptions_Mode = 1
	EncryptionOptions_AES_256_GCM EncryptionOptions_Mode = 2
	EncryptionOptions_AES_256_CBC EncryptionOptions_Mode = 3
	EncryptionOptions_AES_256_CTS EncryptionOptions_Mode = 4
	EncryptionOptions_AES_128_CBC EncryptionOptions_Mode = 5
	EncryptionOptions_AES_128_CTS EncryptionOptions_Mode = 6
)

func (EncryptionOptions_Mode) CheckValidity

func (m EncryptionOptions_Mode) CheckValidity() error

CheckValidity ensures the mode has a name and isn't empty.

func (EncryptionOptions_Mode) EnumDescriptor

func (EncryptionOptions_Mode) EnumDescriptor() ([]byte, []int)

func (EncryptionOptions_Mode) String

func (x EncryptionOptions_Mode) String() string

type HashingCosts

type HashingCosts struct {
	Time        int64 `protobuf:"varint,2,opt,name=time" json:"time,omitempty"`
	Memory      int64 `protobuf:"varint,3,opt,name=memory" json:"memory,omitempty"`
	Parallelism int64 `protobuf:"varint,4,opt,name=parallelism" json:"parallelism,omitempty"`
}

Cost parameters to be used in our hashing functions.

func (*HashingCosts) CheckValidity

func (h *HashingCosts) CheckValidity() error

CheckValidity ensures the hash costs will be accepted by Argon2.

func (*HashingCosts) Descriptor

func (*HashingCosts) Descriptor() ([]byte, []int)

func (*HashingCosts) GetMemory

func (m *HashingCosts) GetMemory() int64

func (*HashingCosts) GetParallelism

func (m *HashingCosts) GetParallelism() int64

func (*HashingCosts) GetTime

func (m *HashingCosts) GetTime() int64

func (*HashingCosts) ProtoMessage

func (*HashingCosts) ProtoMessage()

func (*HashingCosts) Reset

func (m *HashingCosts) Reset()

func (*HashingCosts) String

func (m *HashingCosts) String() string

type Metadata

type Metadata interface {
	CheckValidity() error
	proto.Message
}

Metadata is the interface to all of the protobuf structures that can be checked for validity.

type PolicyData

type PolicyData struct {
	KeyDescriptor     string              `protobuf:"bytes,1,opt,name=key_descriptor,json=keyDescriptor" json:"key_descriptor,omitempty"`
	Options           *EncryptionOptions  `protobuf:"bytes,2,opt,name=options" json:"options,omitempty"`
	WrappedPolicyKeys []*WrappedPolicyKey `protobuf:"bytes,3,rep,name=wrapped_policy_keys,json=wrappedPolicyKeys" json:"wrapped_policy_keys,omitempty"`
}

The associated data for each policy

func GetPolicy

func GetPolicy(path string) (*PolicyData, error)

GetPolicy returns the Policy data for the given directory or file (includes the KeyDescriptor and the encryption options). Returns an error if the path is not encrypted or the policy couldn't be retrieved.

func (*PolicyData) CheckValidity

func (p *PolicyData) CheckValidity() error

CheckValidity ensures the fields and each wrapped key are valid.

func (*PolicyData) Descriptor

func (*PolicyData) Descriptor() ([]byte, []int)

func (*PolicyData) GetKeyDescriptor

func (m *PolicyData) GetKeyDescriptor() string

func (*PolicyData) GetOptions

func (m *PolicyData) GetOptions() *EncryptionOptions

func (*PolicyData) GetWrappedPolicyKeys

func (m *PolicyData) GetWrappedPolicyKeys() []*WrappedPolicyKey

func (*PolicyData) ProtoMessage

func (*PolicyData) ProtoMessage()

func (*PolicyData) Reset

func (m *PolicyData) Reset()

func (*PolicyData) String

func (m *PolicyData) String() string

type ProtectorData

type ProtectorData struct {
	ProtectorDescriptor string     `protobuf:"bytes,1,opt,name=protector_descriptor,json=protectorDescriptor" json:"protector_descriptor,omitempty"`
	Source              SourceType `protobuf:"varint,2,opt,name=source,enum=metadata.SourceType" json:"source,omitempty"`
	// These are only used by some of the protector types
	Name       string          `protobuf:"bytes,3,opt,name=name" json:"name,omitempty"`
	Costs      *HashingCosts   `protobuf:"bytes,4,opt,name=costs" json:"costs,omitempty"`
	Salt       []byte          `protobuf:"bytes,5,opt,name=salt,proto3" json:"salt,omitempty"`
	Uid        int64           `protobuf:"varint,6,opt,name=uid" json:"uid,omitempty"`
	WrappedKey *WrappedKeyData `protobuf:"bytes,7,opt,name=wrapped_key,json=wrappedKey" json:"wrapped_key,omitempty"`
}

The associated data for each protector

func (*ProtectorData) CheckValidity

func (p *ProtectorData) CheckValidity() error

CheckValidity ensures our ProtectorData has the correct fields for its source.

func (*ProtectorData) Descriptor

func (*ProtectorData) Descriptor() ([]byte, []int)

func (*ProtectorData) GetCosts

func (m *ProtectorData) GetCosts() *HashingCosts

func (*ProtectorData) GetName

func (m *ProtectorData) GetName() string

func (*ProtectorData) GetProtectorDescriptor

func (m *ProtectorData) GetProtectorDescriptor() string

func (*ProtectorData) GetSalt

func (m *ProtectorData) GetSalt() []byte

func (*ProtectorData) GetSource

func (m *ProtectorData) GetSource() SourceType

func (*ProtectorData) GetUid

func (m *ProtectorData) GetUid() int64

func (*ProtectorData) GetWrappedKey

func (m *ProtectorData) GetWrappedKey() *WrappedKeyData

func (*ProtectorData) ProtoMessage

func (*ProtectorData) ProtoMessage()

func (*ProtectorData) Reset

func (m *ProtectorData) Reset()

func (*ProtectorData) String

func (m *ProtectorData) String() string

type SourceType

type SourceType int32

Specifies the method in which an outside secret is obtained for a Protector

const (
	SourceType_default           SourceType = 0
	SourceType_pam_passphrase    SourceType = 1
	SourceType_custom_passphrase SourceType = 2
	SourceType_raw_key           SourceType = 3
)

func (SourceType) CheckValidity

func (s SourceType) CheckValidity() error

CheckValidity ensures the source has a name and isn't empty.

func (SourceType) EnumDescriptor

func (SourceType) EnumDescriptor() ([]byte, []int)

func (SourceType) String

func (x SourceType) String() string

type WrappedKeyData

type WrappedKeyData struct {
	IV           []byte `protobuf:"bytes,1,opt,name=IV,proto3" json:"IV,omitempty"`
	EncryptedKey []byte `protobuf:"bytes,2,opt,name=encrypted_key,json=encryptedKey,proto3" json:"encrypted_key,omitempty"`
	Hmac         []byte `protobuf:"bytes,3,opt,name=hmac,proto3" json:"hmac,omitempty"`
}

This structure is used for our authenticated wrapping/unwrapping of keys.

func (*WrappedKeyData) CheckValidity

func (w *WrappedKeyData) CheckValidity() error

CheckValidity ensures our buffers are the correct length.

func (*WrappedKeyData) Descriptor

func (*WrappedKeyData) Descriptor() ([]byte, []int)

func (*WrappedKeyData) GetEncryptedKey

func (m *WrappedKeyData) GetEncryptedKey() []byte

func (*WrappedKeyData) GetHmac

func (m *WrappedKeyData) GetHmac() []byte

func (*WrappedKeyData) GetIV

func (m *WrappedKeyData) GetIV() []byte

func (*WrappedKeyData) ProtoMessage

func (*WrappedKeyData) ProtoMessage()

func (*WrappedKeyData) Reset

func (m *WrappedKeyData) Reset()

func (*WrappedKeyData) String

func (m *WrappedKeyData) String() string

type WrappedPolicyKey

type WrappedPolicyKey struct {
	ProtectorDescriptor string          `protobuf:"bytes,1,opt,name=protector_descriptor,json=protectorDescriptor" json:"protector_descriptor,omitempty"`
	WrappedKey          *WrappedKeyData `protobuf:"bytes,2,opt,name=wrapped_key,json=wrappedKey" json:"wrapped_key,omitempty"`
}

func (*WrappedPolicyKey) CheckValidity

func (w *WrappedPolicyKey) CheckValidity() error

CheckValidity ensures the fields are valid and have the correct lengths.

func (*WrappedPolicyKey) Descriptor

func (*WrappedPolicyKey) Descriptor() ([]byte, []int)

func (*WrappedPolicyKey) GetProtectorDescriptor

func (m *WrappedPolicyKey) GetProtectorDescriptor() string

func (*WrappedPolicyKey) GetWrappedKey

func (m *WrappedPolicyKey) GetWrappedKey() *WrappedKeyData

func (*WrappedPolicyKey) ProtoMessage

func (*WrappedPolicyKey) ProtoMessage()

func (*WrappedPolicyKey) Reset

func (m *WrappedPolicyKey) Reset()

func (*WrappedPolicyKey) String

func (m *WrappedPolicyKey) String() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL