vcrypt

package module
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 6, 2015 License: MIT Imports: 17 Imported by: 0

README

vcrypt

A toolkit for multi-factor, multi-role encryption.

Overview

vcrypt is a toolkit for building & executing multi-factor encryption schemes. It supports a mulit-role encryption workflow: an expert user crafts an encryption plan distributed to a novice user for safe, reliable encryption.

Install

    $ go get github.com/vcrypt/vcrypt/cmd/vcrypt

Commands

    $ vcrypt help
    > usage: vcrypt <command> [<args>]
    >
    > The vcrypt commands are:
    >   build   Build plan file from plan config
    >   export  Export material data
    >   import  Import material data
    >   inspect Inspect vault, plan, or material data
    >   lock    Encrypt data to a vault
    >   unlock  Decrypt data from a vault

Artifacts

  • plan: encodes each step (node) in a multi-factor encryption scheme. Steps are arranged into a directed acyclic graph with a single root step. Each node is either a cryptex, secret, or material. Plans may be sealed. They contain no secret information and are safe to distribute publicly.

  • vault: holds a plan, the ciphertext for the protected data, and intermediate (non-secret) material required for decryption. There is no unencrypted secret data in the vault artifact. The lock command creates a vault which can be decrypted with the unlock command.

  • material: the serialized input/output of a node for a vault. Secret material data is stored in the database, non-secret data may be stored as part of the vault. Allows sharing of solutions to nodes (secret data) between users with the import & export command.

Reference

  • cryptex: the combination of an encryption construct (like Shamir's Secret Sharing, NaCl's secretbox, or OpenPGP public key encryption) along with any required configuration (public keys, m-of-n values). A cryptex node is a single factor in a multi-factor encryption scheme.

  • seal: a digital signature combined with the cryptographic material needed to verify the signature (e.g. a public key).

  • secret: the sensitive input data required to lock and/or unlock a single cryptex.

Examples

Documentation

Overview

Package vcrypt is a generated protocol buffer package.

It is generated from these files: 

vcrypt.proto
marker.proto
node.proto
plan.proto
vault.proto

It has these top-level messages: 

Envelope

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrInvalidLengthMarker = fmt.Errorf("proto: negative length found during unmarshaling")
)
View Source 
var (
	ErrInvalidLengthNode = fmt.Errorf("proto: negative length found during unmarshaling")
)
View Source 
var (
	ErrInvalidLengthPlan = fmt.Errorf("proto: negative length found during unmarshaling")
)
View Source 
var (
	ErrInvalidLengthVault = fmt.Errorf("proto: negative length found during unmarshaling")
)
View Source 
var (
	ErrInvalidLengthVcrypt = fmt.Errorf("proto: negative length found during unmarshaling")
)

Functions

func Armor 

func Armor(msg Message) ([]byte, error)

Armor returns the PEM encoded msg data.

func Marshal 

func Marshal(msg Message) ([]byte, error)

Marshal returns the proto3 encoding of msg.

Types

type Driver 

type Driver interface {
	material.DB

	// LockPayload encrypts the Reader data and returns the payload and decryption key.
	LockPayload(io.Reader) (payload.Payload, []byte, error)

	// LoadSecret returns the secret data for a Secret.
	LoadSecret(secret.Secret) (data [][]byte, skip bool, err error)
}

Driver is an interface for an interactive vault processor.

type Envelope 

type Envelope struct {
	Plan     *Plan              `protobuf:"bytes,1,opt,name=plan" json:"plan,omitempty"`
	Material *material.Material `protobuf:"bytes,2,opt,name=material" json:"material,omitempty"`
	Vault    *Vault             `protobuf:"bytes,3,opt,name=vault" json:"vault,omitempty"`
}

func Wrap 

func Wrap(msg Message) (*Envelope, error)

Wrap returns an intermediate form of the message for marshalling.

func (*Envelope) GetValue 

func (this *Envelope) GetValue() interface{}

func (*Envelope) Marshal 

func (m *Envelope) Marshal() (data []byte, err error)

func (*Envelope) MarshalTo 

func (m *Envelope) MarshalTo(data []byte) (int, error)

func (*Envelope) Message 

func (e *Envelope) Message() (Message, error)

Message returns the concrete type from the intermediate form.

func (*Envelope) ProtoMessage 

func (*Envelope) ProtoMessage()

func (*Envelope) Reset 

func (m *Envelope) Reset()

func (*Envelope) SetValue 

func (this *Envelope) SetValue(value interface{}) bool

func (*Envelope) Size 

func (m *Envelope) Size() (n int)

func (*Envelope) String 

func (m *Envelope) String() string

func (*Envelope) Unmarshal 

func (m *Envelope) Unmarshal(data []byte) error

type Graph 

type Graph struct {
	*graph.DAG
	// contains filtered or unexported fields
}

Graph encodes an encryption plan into discrete steps represented as Nodes.

func BuildGraph 

func BuildGraph(nodes []*Node) (*Graph, error)

BuildGraph constructs a graph from a slice of Nodes.

func NewGraph 

func NewGraph(cptx cryptex.Cryptex) (*Graph, error)

NewGraph constructs a graph with a root Node for cptx.

func (*Graph) Add 

func (g *Graph) Add(val interface{}, from *graph.Vertex) (*graph.Vertex, error)

Add inserts a new Node into the graph with a parent edge from the vertex.

func (*Graph) Nodes 

func (g *Graph) Nodes() ([]*Node, error)

Nodes converts the graph vertecies into Nodes in consistent reverse depth-first order.

type Marker 

type Marker struct {
	Comment string `protobuf:"bytes,1,opt,name=comment,proto3" json:"comment,omitempty"`
}

func (*Marker) Marshal 

func (m *Marker) Marshal() (data []byte, err error)

func (*Marker) MarshalTo 

func (m *Marker) MarshalTo(data []byte) (int, error)

func (*Marker) ProtoMessage 

func (*Marker) ProtoMessage()

func (*Marker) Reset 

func (m *Marker) Reset()

func (*Marker) Size 

func (m *Marker) Size() (n int)

func (*Marker) String 

func (m *Marker) String() string

func (*Marker) Unmarshal 

func (m *Marker) Unmarshal(data []byte) error

type Message 

type Message interface {
	// Marshal returns the binary representation of the Message.
	Marshal() (data []byte, err error)

	// Unmarshal parses the Message encoded in data.
	Unmarshal(data []byte) error

	Comment() string
	Digest() ([]byte, error)
}

Message is a top-level data structure for exporting & importing.

func Unarmor 

func Unarmor(data []byte) (Message, []byte, error)

Unarmor constructs a Message from the PEM encoded data.

func Unmarshal 

func Unmarshal(data []byte) (Message, error)

Unmarshal parses the proto3 encoded message.

type Node 

type Node struct {
	Nonce  []byte   `protobuf:"bytes,1,opt,name=nonce,proto3" json:"nonce,omitempty"`
	Inputs [][]byte `protobuf:"bytes,2,rep,name=inputs" json:"inputs,omitempty"`

	Marker *Marker `protobuf:"bytes,5,opt,name=marker" json:"marker,omitempty"`
	// contains filtered or unexported fields
}

func NewCryptexNode 

func NewCryptexNode(cptx cryptex.Cryptex, inputs [][]byte) (*Node, error)

NewCryptexNode constructs a node with the marshaled cryptex data.

func NewMarkerNode 

func NewMarkerNode(mrkr *Marker) (*Node, error)

NewMarkerNode constructs a node with a marker for material data.

func NewSecretNode 

func NewSecretNode(sec secret.Secret) (*Node, error)

NewSecretNode constructs a node with the marshaled secret data.

func (*Node) Comment 

func (n *Node) Comment() (string, error)

Comment string

func (*Node) Cryptex 

func (n *Node) Cryptex() (cryptex.Cryptex, error)

Cryptex returns the unmarshaled cryptex held by the node.

func (*Node) Digest 

func (n *Node) Digest() ([]byte, error)

Digest returns a unique series of bytes that identify the node.

func (*Node) GetValue 

func (this *Node) GetValue() interface{}

func (*Node) Marshal 

func (m *Node) Marshal() (data []byte, err error)

func (*Node) MarshalTo 

func (m *Node) MarshalTo(data []byte) (int, error)

func (*Node) ProtoMessage 

func (*Node) ProtoMessage()

func (*Node) Reset 

func (m *Node) Reset()

func (*Node) Secret 

func (n *Node) Secret() (secret.Secret, error)

Secret returns the unmarshaled secret held by the node.

func (*Node) SetValue 

func (this *Node) SetValue(value interface{}) bool

func (*Node) Size 

func (m *Node) Size() (n int)

func (*Node) String 

func (m *Node) String() string

func (*Node) Type 

func (n *Node) Type() NodeType

Type of Node

func (*Node) Unmarshal 

func (m *Node) Unmarshal(data []byte) error

type NodeType 

type NodeType int

NodeType marks the type of data held by a Node. 

const (
	// CryptexNode contains a marshaled cryptex.
	CryptexNode NodeType = iota + 1

	// SecretNode holds a marshaled secret.
	SecretNode

	// MarkerNode marks material data.
	MarkerNode
)

type Plan 

type Plan struct {
	Nonce []byte `protobuf:"bytes,1,opt,name=nonce,proto3" json:"nonce,omitempty"`

	Nodes []*Node `protobuf:"bytes,3,rep,name=nodes" json:"nodes,omitempty"`
	// contains filtered or unexported fields
}

func BuildPlan 

func BuildPlan(r io.Reader) (*Plan, error)

BuildPlan constructs a Plan from the config data in r.

func NewPlan 

func NewPlan(g *Graph, comment string) (*Plan, error)

NewPlan constructs a Plan from an pre-built Graph.

func (*Plan) AddSeal 

func (p *Plan) AddSeal(slr Sealer) (seal.Seal, error)

AddSeal adds a Seal for the Plan from the nonce, root node, and comment data.

func (*Plan) BFS 

func (p *Plan) BFS(fn func(*Node) error) error

BFS walks the nodes in breadth-first order.

func (*Plan) Comment 

func (p *Plan) Comment() string

Comment string

func (*Plan) Digest 

func (p *Plan) Digest() ([]byte, error)

Digest is a unique series of bytes that identify the Plan.

func (*Plan) Graph 

func (p *Plan) Graph() (*Graph, error)

Graph returns a new Graph built from the plan nodes.

func (*Plan) Marshal 

func (m *Plan) Marshal() (data []byte, err error)

func (*Plan) MarshalTo 

func (m *Plan) MarshalTo(data []byte) (int, error)

func (*Plan) ProtoMessage 

func (*Plan) ProtoMessage()

func (*Plan) Reset 

func (m *Plan) Reset()

func (*Plan) Seals 

func (p *Plan) Seals() ([]seal.Seal, error)

Seals return a Seal slice for the Plan.

func (*Plan) Size 

func (m *Plan) Size() (n int)

func (*Plan) String 

func (m *Plan) String() string

func (*Plan) Unmarshal 

func (m *Plan) Unmarshal(data []byte) error

type Sealer 

type Sealer interface {
	// Seal constructs a new seal for the data.
	Seal([]byte) (seal.Seal, error)
}

Sealer is an interface for the Seal method.

type Vault 

type Vault struct {
	Nonce []byte `protobuf:"bytes,1,opt,name=nonce,proto3" json:"nonce,omitempty"`

	Plan      *Plan                `protobuf:"bytes,3,opt,name=plan" json:"plan,omitempty"`
	Materials []*material.Material `protobuf:"bytes,4,rep,name=materials" json:"materials,omitempty"`
	// contains filtered or unexported fields
}

func NewVault 

func NewVault(plan *Plan, comment string) (*Vault, error)

NewVault constructs a Vault from a Plan.

func (*Vault) Comment 

func (v *Vault) Comment() string

Comment string

func (*Vault) Digest 

func (v *Vault) Digest() ([]byte, error)

Digest is a unique series of bytes that identify the Vault.

func (*Vault) Lock 

func (v *Vault) Lock(r io.Reader, drv Driver) error

Lock encrypts a vault by building an encrypted Payload from r. It then secures the decryption key in a multi-step encryption scheme described in the Plan.

func (*Vault) Marshal 

func (m *Vault) Marshal() (data []byte, err error)

func (*Vault) MarshalTo 

func (m *Vault) MarshalTo(data []byte) (int, error)

func (*Vault) Payload 

func (v *Vault) Payload() (payload.Payload, error)

Payload holds the encrypted data protected by the vault.

func (*Vault) ProtoMessage 

func (*Vault) ProtoMessage()

func (*Vault) Reset 

func (m *Vault) Reset()

func (*Vault) Seals 

func (v *Vault) Seals() ([]seal.Seal, error)

Seals are the verifiable seals of the vault.

func (*Vault) Size 

func (m *Vault) Size() (n int)

func (*Vault) String 

func (m *Vault) String() string

func (*Vault) Unlock 

func (v *Vault) Unlock(w io.Writer, drv Driver) (unlocked bool, err error)

Unlock retrieves the Payload decryption key by solving the Plan and writes the decrypted Payload data to w.

func (*Vault) Unmarshal 

func (m *Vault) Unmarshal(data []byte) error

Source Files

View all Source files

Directories

Path Synopsis
cmd
vcrypt
Package cryptex is a generated protocol buffer package.
 Package cryptex is a generated protocol buffer package.
internal
test
Package material is a generated protocol buffer package.
 Package material is a generated protocol buffer package.
Package payload is a generated protocol buffer package.
 Package payload is a generated protocol buffer package.
Package seal is a generated protocol buffer package.
 Package seal is a generated protocol buffer package.
Package secret is a generated protocol buffer package.
 Package secret is a generated protocol buffer package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.