metadata

package
v0.2.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 11, 2020 License: Apache-2.0 Imports: 13 Imported by: 8

Documentation

Overview

Package metadata contains all of the on disk structures. These structures are defined in metadata.proto. The package also contains functions for manipulating these structures, specifically:

  • Reading and Writing the Config file to disk
  • Getting and Setting Policies for directories
  • Reasonable defaults for a Policy's EncryptionOptions

Index

Constants

View Source
const (
	// Length of policy descriptor (in hex chars) for v1 encryption policies
	PolicyDescriptorLenV1 = 2 * unix.FSCRYPT_KEY_DESCRIPTOR_SIZE
	// Length of protector descriptor (in hex chars)
	ProtectorDescriptorLen = PolicyDescriptorLenV1
	// Length of policy descriptor (in hex chars) for v2 encryption policies
	PolicyDescriptorLenV2 = 2 * unix.FSCRYPT_KEY_IDENTIFIER_SIZE
	// We always use 256-bit keys internally (compared to 512-bit policy keys).
	InternalKeyLen = 32
	IVLen          = 16
	SaltLen        = 16
	// We use SHA256 for the HMAC, and len(HMAC) == len(hash size).
	HMACLen = sha256.Size
	// PolicyKeyLen is the length of all keys passed directly to the Keyring
	PolicyKeyLen = unix.FSCRYPT_MAX_KEY_SIZE
)

Lengths for our keys, buffers, and strings used in fscrypt.

Variables

View Source
var (
	// DefaultOptions use the supported encryption modes, max padding, and
	// policy version 1.
	DefaultOptions = &EncryptionOptions{
		Padding:       32,
		Contents:      EncryptionOptions_AES_256_XTS,
		Filenames:     EncryptionOptions_AES_256_CTS,
		PolicyVersion: 1,
	}
	// DefaultSource is the source we use if none is specified.
	DefaultSource = SourceType_custom_passphrase
)
View Source
var (
	ErrEncryptionNotSupported = errors.New("encryption not supported")
	ErrEncryptionNotEnabled   = errors.New("encryption not enabled")
	ErrNotEncrypted           = errors.New("file or directory not encrypted")
	ErrEncrypted              = errors.New("file or directory already encrypted")
	ErrBadEncryptionOptions   = util.SystemError("invalid encryption options provided")
)

Encryption specific errors

View Source
var EncryptionOptions_Mode_name = map[int32]string{
	0: "default",
	1: "AES_256_XTS",
	2: "AES_256_GCM",
	3: "AES_256_CBC",
	4: "AES_256_CTS",
	5: "AES_128_CBC",
	6: "AES_128_CTS",
	9: "Adiantum",
}
View Source
var EncryptionOptions_Mode_value = map[string]int32{
	"default":     0,
	"AES_256_XTS": 1,
	"AES_256_GCM": 2,
	"AES_256_CBC": 3,
	"AES_256_CTS": 4,
	"AES_128_CBC": 5,
	"AES_128_CTS": 6,
	"Adiantum":    9,
}
View Source
var SourceType_name = map[int32]string{
	0: "default",
	1: "pam_passphrase",
	2: "custom_passphrase",
	3: "raw_key",
}
View Source
var SourceType_value = map[string]int32{
	"default":           0,
	"pam_passphrase":    1,
	"custom_passphrase": 2,
	"raw_key":           3,
}

Functions

func CheckSupport

func CheckSupport(path string) error

CheckSupport returns an error if the filesystem containing path does not support filesystem encryption. This can be for many reasons including an incompatible kernel or filesystem or not enabling the right feature flags.

func SetPolicy

func SetPolicy(path string, data *PolicyData) error

SetPolicy sets up the specified directory to be encrypted with the specified policy. Returns an error if we cannot set the policy for any reason (not a directory, invalid options or KeyDescriptor, etc).

func WriteConfig

func WriteConfig(config *Config, out io.Writer) error

WriteConfig outputs the Config data as nicely formatted JSON

Types

type Config

type Config struct {
	Source                    SourceType         `protobuf:"varint,1,opt,name=source,proto3,enum=metadata.SourceType" json:"source,omitempty"`
	HashCosts                 *HashingCosts      `protobuf:"bytes,2,opt,name=hash_costs,json=hashCosts,proto3" json:"hash_costs,omitempty"`
	Compatibility             string             `protobuf:"bytes,3,opt,name=compatibility,proto3" json:"compatibility,omitempty"`
	Options                   *EncryptionOptions `protobuf:"bytes,4,opt,name=options,proto3" json:"options,omitempty"`
	UseFsKeyringForV1Policies bool               `` /* 145-byte string literal not displayed */
	XXX_NoUnkeyedLiteral      struct{}           `json:"-"`
	XXX_unrecognized          []byte             `json:"-"`
	XXX_sizecache             int32              `json:"-"`
}

Data stored in the config file

func ReadConfig

func ReadConfig(in io.Reader) (*Config, error)

ReadConfig writes the JSON data into the config structure

func (*Config) CheckValidity

func (c *Config) CheckValidity() error

CheckValidity ensures the Config has all the necessary info for its Source.

func (*Config) Descriptor

func (*Config) Descriptor() ([]byte, []int)

func (*Config) GetCompatibility

func (m *Config) GetCompatibility() string

func (*Config) GetHashCosts

func (m *Config) GetHashCosts() *HashingCosts

func (*Config) GetOptions

func (m *Config) GetOptions() *EncryptionOptions

func (*Config) GetSource

func (m *Config) GetSource() SourceType

func (*Config) GetUseFsKeyringForV1Policies added in v0.2.6

func (m *Config) GetUseFsKeyringForV1Policies() bool

func (*Config) HasCompatibilityOption

func (c *Config) HasCompatibilityOption(option string) bool

HasCompatibilityOption returns true if the specified string is in the list of compatibility options. This assumes the compatibility options are in a comma separated string.

func (*Config) ProtoMessage

func (*Config) ProtoMessage()

func (*Config) Reset

func (m *Config) Reset()

func (*Config) String

func (m *Config) String() string

func (*Config) XXX_DiscardUnknown added in v0.2.5

func (m *Config) XXX_DiscardUnknown()

func (*Config) XXX_Marshal added in v0.2.5

func (m *Config) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*Config) XXX_Merge added in v0.2.5

func (dst *Config) XXX_Merge(src proto.Message)

func (*Config) XXX_Size added in v0.2.5

func (m *Config) XXX_Size() int

func (*Config) XXX_Unmarshal added in v0.2.5

func (m *Config) XXX_Unmarshal(b []byte) error

type EncryptionOptions

type EncryptionOptions struct {
	Padding              int64                  `protobuf:"varint,1,opt,name=padding,proto3" json:"padding,omitempty"`
	Contents             EncryptionOptions_Mode `protobuf:"varint,2,opt,name=contents,proto3,enum=metadata.EncryptionOptions_Mode" json:"contents,omitempty"`
	Filenames            EncryptionOptions_Mode `protobuf:"varint,3,opt,name=filenames,proto3,enum=metadata.EncryptionOptions_Mode" json:"filenames,omitempty"`
	PolicyVersion        int64                  `protobuf:"varint,4,opt,name=policy_version,json=policyVersion,proto3" json:"policy_version,omitempty"`
	XXX_NoUnkeyedLiteral struct{}               `json:"-"`
	XXX_unrecognized     []byte                 `json:"-"`
	XXX_sizecache        int32                  `json:"-"`
}

Encryption policy specifics, corresponds to the fscrypt_policy struct

func (*EncryptionOptions) CheckValidity

func (e *EncryptionOptions) CheckValidity() error

CheckValidity ensures each of the options is valid.

func (*EncryptionOptions) Descriptor

func (*EncryptionOptions) Descriptor() ([]byte, []int)

func (*EncryptionOptions) GetContents

func (m *EncryptionOptions) GetContents() EncryptionOptions_Mode

func (*EncryptionOptions) GetFilenames

func (m *EncryptionOptions) GetFilenames() EncryptionOptions_Mode

func (*EncryptionOptions) GetPadding

func (m *EncryptionOptions) GetPadding() int64

func (*EncryptionOptions) GetPolicyVersion added in v0.2.6

func (m *EncryptionOptions) GetPolicyVersion() int64

func (*EncryptionOptions) ProtoMessage

func (*EncryptionOptions) ProtoMessage()

func (*EncryptionOptions) Reset

func (m *EncryptionOptions) Reset()

func (*EncryptionOptions) String

func (m *EncryptionOptions) String() string

func (*EncryptionOptions) XXX_DiscardUnknown added in v0.2.5

func (m *EncryptionOptions) XXX_DiscardUnknown()

func (*EncryptionOptions) XXX_Marshal added in v0.2.5

func (m *EncryptionOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*EncryptionOptions) XXX_Merge added in v0.2.5

func (dst *EncryptionOptions) XXX_Merge(src proto.Message)

func (*EncryptionOptions) XXX_Size added in v0.2.5

func (m *EncryptionOptions) XXX_Size() int

func (*EncryptionOptions) XXX_Unmarshal added in v0.2.5

func (m *EncryptionOptions) XXX_Unmarshal(b []byte) error

type EncryptionOptions_Mode

type EncryptionOptions_Mode int32

Type of encryption; should match declarations of unix.FSCRYPT_MODE

const (
	EncryptionOptions_default     EncryptionOptions_Mode = 0
	EncryptionOptions_AES_256_XTS EncryptionOptions_Mode = 1
	EncryptionOptions_AES_256_GCM EncryptionOptions_Mode = 2
	EncryptionOptions_AES_256_CBC EncryptionOptions_Mode = 3
	EncryptionOptions_AES_256_CTS EncryptionOptions_Mode = 4
	EncryptionOptions_AES_128_CBC EncryptionOptions_Mode = 5
	EncryptionOptions_AES_128_CTS EncryptionOptions_Mode = 6
	EncryptionOptions_Adiantum    EncryptionOptions_Mode = 9
)

func (EncryptionOptions_Mode) CheckValidity

func (m EncryptionOptions_Mode) CheckValidity() error

CheckValidity ensures the mode has a name and isn't empty.

func (EncryptionOptions_Mode) EnumDescriptor

func (EncryptionOptions_Mode) EnumDescriptor() ([]byte, []int)

func (EncryptionOptions_Mode) String

func (x EncryptionOptions_Mode) String() string

type HashingCosts

type HashingCosts struct {
	Time                 int64    `protobuf:"varint,2,opt,name=time,proto3" json:"time,omitempty"`
	Memory               int64    `protobuf:"varint,3,opt,name=memory,proto3" json:"memory,omitempty"`
	Parallelism          int64    `protobuf:"varint,4,opt,name=parallelism,proto3" json:"parallelism,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

Cost parameters to be used in our hashing functions.

func (*HashingCosts) CheckValidity

func (h *HashingCosts) CheckValidity() error

CheckValidity ensures the hash costs will be accepted by Argon2.

func (*HashingCosts) Descriptor

func (*HashingCosts) Descriptor() ([]byte, []int)

func (*HashingCosts) GetMemory

func (m *HashingCosts) GetMemory() int64

func (*HashingCosts) GetParallelism

func (m *HashingCosts) GetParallelism() int64

func (*HashingCosts) GetTime

func (m *HashingCosts) GetTime() int64

func (*HashingCosts) ProtoMessage

func (*HashingCosts) ProtoMessage()

func (*HashingCosts) Reset

func (m *HashingCosts) Reset()

func (*HashingCosts) String

func (m *HashingCosts) String() string

func (*HashingCosts) XXX_DiscardUnknown added in v0.2.5

func (m *HashingCosts) XXX_DiscardUnknown()

func (*HashingCosts) XXX_Marshal added in v0.2.5

func (m *HashingCosts) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*HashingCosts) XXX_Merge added in v0.2.5

func (dst *HashingCosts) XXX_Merge(src proto.Message)

func (*HashingCosts) XXX_Size added in v0.2.5

func (m *HashingCosts) XXX_Size() int

func (*HashingCosts) XXX_Unmarshal added in v0.2.5

func (m *HashingCosts) XXX_Unmarshal(b []byte) error

type Metadata

type Metadata interface {
	CheckValidity() error
	proto.Message
}

Metadata is the interface to all of the protobuf structures that can be checked for validity.

type PolicyData

type PolicyData struct {
	KeyDescriptor        string              `protobuf:"bytes,1,opt,name=key_descriptor,json=keyDescriptor,proto3" json:"key_descriptor,omitempty"`
	Options              *EncryptionOptions  `protobuf:"bytes,2,opt,name=options,proto3" json:"options,omitempty"`
	WrappedPolicyKeys    []*WrappedPolicyKey `protobuf:"bytes,3,rep,name=wrapped_policy_keys,json=wrappedPolicyKeys,proto3" json:"wrapped_policy_keys,omitempty"`
	XXX_NoUnkeyedLiteral struct{}            `json:"-"`
	XXX_unrecognized     []byte              `json:"-"`
	XXX_sizecache        int32               `json:"-"`
}

The associated data for each policy

func GetPolicy

func GetPolicy(path string) (*PolicyData, error)

GetPolicy returns the Policy data for the given directory or file (includes the KeyDescriptor and the encryption options). Returns an error if the path is not encrypted or the policy couldn't be retrieved.

func (*PolicyData) CheckValidity

func (p *PolicyData) CheckValidity() error

CheckValidity ensures the fields and each wrapped key are valid.

func (*PolicyData) Descriptor

func (*PolicyData) Descriptor() ([]byte, []int)

func (*PolicyData) GetKeyDescriptor

func (m *PolicyData) GetKeyDescriptor() string

func (*PolicyData) GetOptions

func (m *PolicyData) GetOptions() *EncryptionOptions

func (*PolicyData) GetWrappedPolicyKeys

func (m *PolicyData) GetWrappedPolicyKeys() []*WrappedPolicyKey

func (*PolicyData) ProtoMessage

func (*PolicyData) ProtoMessage()

func (*PolicyData) Reset

func (m *PolicyData) Reset()

func (*PolicyData) String

func (m *PolicyData) String() string

func (*PolicyData) XXX_DiscardUnknown added in v0.2.5

func (m *PolicyData) XXX_DiscardUnknown()

func (*PolicyData) XXX_Marshal added in v0.2.5

func (m *PolicyData) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*PolicyData) XXX_Merge added in v0.2.5

func (dst *PolicyData) XXX_Merge(src proto.Message)

func (*PolicyData) XXX_Size added in v0.2.5

func (m *PolicyData) XXX_Size() int

func (*PolicyData) XXX_Unmarshal added in v0.2.5

func (m *PolicyData) XXX_Unmarshal(b []byte) error

type ProtectorData

type ProtectorData struct {
	ProtectorDescriptor string     `protobuf:"bytes,1,opt,name=protector_descriptor,json=protectorDescriptor,proto3" json:"protector_descriptor,omitempty"`
	Source              SourceType `protobuf:"varint,2,opt,name=source,proto3,enum=metadata.SourceType" json:"source,omitempty"`
	// These are only used by some of the protector types
	Name                 string          `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"`
	Costs                *HashingCosts   `protobuf:"bytes,4,opt,name=costs,proto3" json:"costs,omitempty"`
	Salt                 []byte          `protobuf:"bytes,5,opt,name=salt,proto3" json:"salt,omitempty"`
	Uid                  int64           `protobuf:"varint,6,opt,name=uid,proto3" json:"uid,omitempty"`
	WrappedKey           *WrappedKeyData `protobuf:"bytes,7,opt,name=wrapped_key,json=wrappedKey,proto3" json:"wrapped_key,omitempty"`
	XXX_NoUnkeyedLiteral struct{}        `json:"-"`
	XXX_unrecognized     []byte          `json:"-"`
	XXX_sizecache        int32           `json:"-"`
}

The associated data for each protector

func (*ProtectorData) CheckValidity

func (p *ProtectorData) CheckValidity() error

CheckValidity ensures our ProtectorData has the correct fields for its source.

func (*ProtectorData) Descriptor

func (*ProtectorData) Descriptor() ([]byte, []int)

func (*ProtectorData) GetCosts

func (m *ProtectorData) GetCosts() *HashingCosts

func (*ProtectorData) GetName

func (m *ProtectorData) GetName() string

func (*ProtectorData) GetProtectorDescriptor

func (m *ProtectorData) GetProtectorDescriptor() string

func (*ProtectorData) GetSalt

func (m *ProtectorData) GetSalt() []byte

func (*ProtectorData) GetSource

func (m *ProtectorData) GetSource() SourceType

func (*ProtectorData) GetUid

func (m *ProtectorData) GetUid() int64

func (*ProtectorData) GetWrappedKey

func (m *ProtectorData) GetWrappedKey() *WrappedKeyData

func (*ProtectorData) ProtoMessage

func (*ProtectorData) ProtoMessage()

func (*ProtectorData) Reset

func (m *ProtectorData) Reset()

func (*ProtectorData) String

func (m *ProtectorData) String() string

func (*ProtectorData) XXX_DiscardUnknown added in v0.2.5

func (m *ProtectorData) XXX_DiscardUnknown()

func (*ProtectorData) XXX_Marshal added in v0.2.5

func (m *ProtectorData) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*ProtectorData) XXX_Merge added in v0.2.5

func (dst *ProtectorData) XXX_Merge(src proto.Message)

func (*ProtectorData) XXX_Size added in v0.2.5

func (m *ProtectorData) XXX_Size() int

func (*ProtectorData) XXX_Unmarshal added in v0.2.5

func (m *ProtectorData) XXX_Unmarshal(b []byte) error

type SourceType

type SourceType int32

Specifies the method in which an outside secret is obtained for a Protector

const (
	SourceType_default           SourceType = 0
	SourceType_pam_passphrase    SourceType = 1
	SourceType_custom_passphrase SourceType = 2
	SourceType_raw_key           SourceType = 3
)

func (SourceType) CheckValidity

func (s SourceType) CheckValidity() error

CheckValidity ensures the source has a name and isn't empty.

func (SourceType) EnumDescriptor

func (SourceType) EnumDescriptor() ([]byte, []int)

func (SourceType) String

func (x SourceType) String() string

type WrappedKeyData

type WrappedKeyData struct {
	IV                   []byte   `protobuf:"bytes,1,opt,name=IV,proto3" json:"IV,omitempty"`
	EncryptedKey         []byte   `protobuf:"bytes,2,opt,name=encrypted_key,json=encryptedKey,proto3" json:"encrypted_key,omitempty"`
	Hmac                 []byte   `protobuf:"bytes,3,opt,name=hmac,proto3" json:"hmac,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

This structure is used for our authenticated wrapping/unwrapping of keys.

func (*WrappedKeyData) CheckValidity

func (w *WrappedKeyData) CheckValidity() error

CheckValidity ensures our buffers are the correct length.

func (*WrappedKeyData) Descriptor

func (*WrappedKeyData) Descriptor() ([]byte, []int)

func (*WrappedKeyData) GetEncryptedKey

func (m *WrappedKeyData) GetEncryptedKey() []byte

func (*WrappedKeyData) GetHmac

func (m *WrappedKeyData) GetHmac() []byte

func (*WrappedKeyData) GetIV

func (m *WrappedKeyData) GetIV() []byte

func (*WrappedKeyData) ProtoMessage

func (*WrappedKeyData) ProtoMessage()

func (*WrappedKeyData) Reset

func (m *WrappedKeyData) Reset()

func (*WrappedKeyData) String

func (m *WrappedKeyData) String() string

func (*WrappedKeyData) XXX_DiscardUnknown added in v0.2.5

func (m *WrappedKeyData) XXX_DiscardUnknown()

func (*WrappedKeyData) XXX_Marshal added in v0.2.5

func (m *WrappedKeyData) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*WrappedKeyData) XXX_Merge added in v0.2.5

func (dst *WrappedKeyData) XXX_Merge(src proto.Message)

func (*WrappedKeyData) XXX_Size added in v0.2.5

func (m *WrappedKeyData) XXX_Size() int

func (*WrappedKeyData) XXX_Unmarshal added in v0.2.5

func (m *WrappedKeyData) XXX_Unmarshal(b []byte) error

type WrappedPolicyKey

type WrappedPolicyKey struct {
	ProtectorDescriptor  string          `protobuf:"bytes,1,opt,name=protector_descriptor,json=protectorDescriptor,proto3" json:"protector_descriptor,omitempty"`
	WrappedKey           *WrappedKeyData `protobuf:"bytes,2,opt,name=wrapped_key,json=wrappedKey,proto3" json:"wrapped_key,omitempty"`
	XXX_NoUnkeyedLiteral struct{}        `json:"-"`
	XXX_unrecognized     []byte          `json:"-"`
	XXX_sizecache        int32           `json:"-"`
}

func (*WrappedPolicyKey) CheckValidity

func (w *WrappedPolicyKey) CheckValidity() error

CheckValidity ensures the fields are valid and have the correct lengths.

func (*WrappedPolicyKey) Descriptor

func (*WrappedPolicyKey) Descriptor() ([]byte, []int)

func (*WrappedPolicyKey) GetProtectorDescriptor

func (m *WrappedPolicyKey) GetProtectorDescriptor() string

func (*WrappedPolicyKey) GetWrappedKey

func (m *WrappedPolicyKey) GetWrappedKey() *WrappedKeyData

func (*WrappedPolicyKey) ProtoMessage

func (*WrappedPolicyKey) ProtoMessage()

func (*WrappedPolicyKey) Reset

func (m *WrappedPolicyKey) Reset()

func (*WrappedPolicyKey) String

func (m *WrappedPolicyKey) String() string

func (*WrappedPolicyKey) XXX_DiscardUnknown added in v0.2.5

func (m *WrappedPolicyKey) XXX_DiscardUnknown()

func (*WrappedPolicyKey) XXX_Marshal added in v0.2.5

func (m *WrappedPolicyKey) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*WrappedPolicyKey) XXX_Merge added in v0.2.5

func (dst *WrappedPolicyKey) XXX_Merge(src proto.Message)

func (*WrappedPolicyKey) XXX_Size added in v0.2.5

func (m *WrappedPolicyKey) XXX_Size() int

func (*WrappedPolicyKey) XXX_Unmarshal added in v0.2.5

func (m *WrappedPolicyKey) XXX_Unmarshal(b []byte) error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL