Documentation ¶
Overview ¶
Package encrypt is an interface to manage encrypted storage backends. It presents an unencrypted interface to callers by storing bytes in the provided Child client, encrypting the bytes written to it, and decrypting them again when requested.
File objects are encrypted with an RSA public key provided in the config. If an RSA private key is provided, GetFile and ListFiles will perform the reverse operation.
Chunk objects are encrypted with 256-bit AES-GCM using an AES key stored in the shade.File struct and a random 96-bit nonce stored with each shade.Chunk struct.
The sha256sum of each Chunk is AES encrypted with the same key as the contents and a nonce which is stored in the corresponding shade.File struct. Unlike the Chunk, the nonce cannot be stored appended to the sha256sum, because it must be known in advance to retrieve the chunk. Nb: It is important not to reuse a nonce with the same key, thus callers must reset the Nonce in a shade.Chunk when updating the Sha256sum value.
The sha256sum of File objects are not encrypted. The struct contains sufficient internal randomness (Nonces of shade.Chunk objects, mtime, etc) that the sum does not leak information about the contents of the file.
Index ¶
- func Decrypt(ciphertext []byte, key *[32]byte) (plaintext []byte, err error)
- func Encrypt(plaintext []byte, key *[32]byte) (ciphertext []byte, err error)
- func EncryptUnsafe(plaintext []byte, key *[32]byte, nonce []byte) (ciphertext []byte, err error)
- func GetEncryptedSum(sha256sum []byte, f *shade.File) (encryptedSum []byte, err error)
- func NewClient(c drive.Config) (drive.Client, error)
- type Drive
- func (s *Drive) GetChunk(sha256sum []byte, f *shade.File) ([]byte, error)
- func (s *Drive) GetConfig() drive.Config
- func (s *Drive) GetFile(sha256sum []byte) ([]byte, error)
- func (s *Drive) ListFiles() ([][]byte, error)
- func (s *Drive) Local() bool
- func (s *Drive) Persistent() bool
- func (s *Drive) PutChunk(sha256sum []byte, chunkBytes []byte, f *shade.File) error
- func (s *Drive) PutFile(sha256sum, f []byte) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Decrypt ¶
Decrypt decrypts data using 256-bit AES-GCM. This both hides the content of the data and provides a check that it hasn't been altered. Expects input form nonce|ciphertext|tag where '|' indicates concatenation.
func Encrypt ¶
Encrypt encrypts data using 256-bit AES-GCM. This both hides the content of the data and provides a check that it hasn't been altered. Output takes the form nonce|ciphertext|tag where '|' indicates concatenation.
func EncryptUnsafe ¶
EncryptUnsafe is the internal implementation of Encrypt(). It allows you to specify the key AND the nonce. Use with caution: you must not encrypt two different messages with the same key and nonce!
func GetEncryptedSum ¶
GetEncryptedSum calculates the encrypted sha256sum that a chunk will be stored at, for a given chunk in a given file. It is used both by PutChunk to store the chunk, and later by GetChunk to find it again.
Types ¶
type Drive ¶
type Drive struct {
// contains filtered or unexported fields
}
Drive protects the contents of a single child drive.Client. It can return a config which describes only its name.
If any of its clients are not Local(), it reports itself as not Local() by returning false. If any of its clients are Persistent(), it requires writes to at least one of those backends to succeed, and reports itself as Persistent().
func (*Drive) GetChunk ¶
GetChunk retrieves and decrypts the chunk with a given SHA-256 sum. It reverses the process of PutChunk, in particular, leveraging the stored Nonce to be able to find the encrypted sha256sum in the child client.
func (*Drive) GetFile ¶
GetFile retrieves the file object described by the sha256sum, decrypts it, and returns it to the caller. It reverses the process described in PutFile.
func (*Drive) ListFiles ¶
ListFiles retrieves all of the File objects known to the child client. The return is a list of sha256sums of the file object. The keys may be passed to GetFile() to retrieve the corresponding shade.File.
func (*Drive) Persistent ¶
Persistent returns true if the configured storage backend is Persistent().
func (*Drive) PutChunk ¶
PutChunk writes a chunk associated with a SHA-256 sum. It uses the following process:
- From the provided shade.File struct, retrieve:
- the AES key of the File
- the Nonce of the associated shade.Chunk struct
- encrypt the sha256sum with the provided Key and Nonce
- encrypt the bytes with the provided Key and a unique Nonce
- store the encrypted bytes at the encrypted sum in the child client
func (*Drive) PutFile ¶
PutFile encrypts and writes the metadata describing a new file. It uses the following process:
- generates a new 256-bit AES encryption key
- uses the new key to Encrypt() the provided File's bytes
- RSA encrypts the AES key (but not the sha256sum of the File's bytes)
- bundles the encrypted key and encrypted bytes as an encryptedObj
- marshals the encryptedObj as JSON and store it in the child client, at the value of the sha256sum of the plaintext