metadata

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 31, 2021 License: Apache-2.0 Imports: 15 Imported by: 8

Documentation

Overview

Package metadata contains all of the on disk structures. These structures are defined in metadata.proto. The package also contains functions for manipulating these structures, specifically:

  • Reading and Writing the Config file to disk
  • Getting and Setting Policies for directories
  • Reasonable defaults for a Policy's EncryptionOptions

Index

Constants

View Source 
const (
	// Length of policy descriptor (in hex chars) for v1 encryption policies
	PolicyDescriptorLenV1 = 2 * unix.FSCRYPT_KEY_DESCRIPTOR_SIZE
	// Length of protector descriptor (in hex chars)
	ProtectorDescriptorLen = PolicyDescriptorLenV1
	// Length of policy descriptor (in hex chars) for v2 encryption policies
	PolicyDescriptorLenV2 = 2 * unix.FSCRYPT_KEY_IDENTIFIER_SIZE
	// We always use 256-bit keys internally (compared to 512-bit policy keys).
	InternalKeyLen = 32
	IVLen          = 16
	SaltLen        = 16
	// We use SHA256 for the HMAC, and len(HMAC) == len(hash size).
	HMACLen = sha256.Size
	// PolicyKeyLen is the length of all keys passed directly to the Keyring
	PolicyKeyLen = unix.FSCRYPT_MAX_KEY_SIZE
)

Lengths for our keys, buffers, and strings used in fscrypt.

Variables

View Source 
var (
	// DefaultOptions use the supported encryption modes, max padding, and
	// policy version 1.
	DefaultOptions = &EncryptionOptions{
		Padding:       32,
		Contents:      EncryptionOptions_AES_256_XTS,
		Filenames:     EncryptionOptions_AES_256_CTS,
		PolicyVersion: 1,
	}
	// DefaultSource is the source we use if none is specified.
	DefaultSource = SourceType_custom_passphrase
)
View Source 
var (
	// ErrEncryptionNotSupported indicates that encryption is not supported
	// on the given filesystem, and there is no way to enable it.
	ErrEncryptionNotSupported = errors.New("encryption not supported")

	// ErrEncryptionNotEnabled indicates that encryption is not supported on
	// the given filesystem, but there is a way to enable it.
	ErrEncryptionNotEnabled = errors.New("encryption not enabled")
)
View Source 
var EncryptionOptions_Mode_name = map[int32]string{
	0: "default",
	1: "AES_256_XTS",
	2: "AES_256_GCM",
	3: "AES_256_CBC",
	4: "AES_256_CTS",
	5: "AES_128_CBC",
	6: "AES_128_CTS",
	9: "Adiantum",
}
View Source 
var EncryptionOptions_Mode_value = map[string]int32{
	"default":     0,
	"AES_256_XTS": 1,
	"AES_256_GCM": 2,
	"AES_256_CBC": 3,
	"AES_256_CTS": 4,
	"AES_128_CBC": 5,
	"AES_128_CTS": 6,
	"Adiantum":    9,
}
View Source 
var SourceType_name = map[int32]string{
	0: "default",
	1: "pam_passphrase",
	2: "custom_passphrase",
	3: "raw_key",
}
View Source 
var SourceType_value = map[string]int32{
	"default":           0,
	"pam_passphrase":    1,
	"custom_passphrase": 2,
	"raw_key":           3,
}

Functions

func CheckSupport 

func CheckSupport(path string) error

CheckSupport returns an error if the filesystem containing path does not support filesystem encryption. This can be for many reasons including an incompatible kernel or filesystem or not enabling the right feature flags.

func SetPolicy 

func SetPolicy(path string, data *PolicyData) error

SetPolicy sets up the specified directory to be encrypted with the specified policy. Returns an error if we cannot set the policy for any reason (not a directory, invalid options or KeyDescriptor, etc).

func WriteConfig 

func WriteConfig(config *Config, out io.Writer) error

WriteConfig outputs the Config data as nicely formatted JSON

Types

type Config 

type Config struct {
	Source                    SourceType         `protobuf:"varint,1,opt,name=source,proto3,enum=metadata.SourceType" json:"source,omitempty"`
	HashCosts                 *HashingCosts      `protobuf:"bytes,2,opt,name=hash_costs,json=hashCosts,proto3" json:"hash_costs,omitempty"`
	Options                   *EncryptionOptions `protobuf:"bytes,4,opt,name=options,proto3" json:"options,omitempty"`
	UseFsKeyringForV1Policies bool               `` /* 145-byte string literal not displayed */
	XXX_NoUnkeyedLiteral      struct{}           `json:"-"`
	XXX_unrecognized          []byte             `json:"-"`
	XXX_sizecache             int32              `json:"-"`
}

Data stored in the config file

func ReadConfig 

func ReadConfig(in io.Reader) (*Config, error)

ReadConfig writes the JSON data into the config structure

func (*Config) CheckValidity 

func (c *Config) CheckValidity() error

CheckValidity ensures the Config has all the necessary info for its Source.

func (*Config) Descriptor 

func (*Config) Descriptor() ([]byte, []int)

func (*Config) GetHashCosts 

func (m *Config) GetHashCosts() *HashingCosts

func (*Config) GetOptions 

func (m *Config) GetOptions() *EncryptionOptions

func (*Config) GetSource 

func (m *Config) GetSource() SourceType

func (*Config) GetUseFsKeyringForV1Policies added in v0.2.6 

func (m *Config) GetUseFsKeyringForV1Policies() bool

func (*Config) ProtoMessage 

func (*Config) ProtoMessage()

func (*Config) Reset 

func (m *Config) Reset()

func (*Config) String 

func (m *Config) String() string

func (*Config) XXX_DiscardUnknown added in v0.2.5 

func (m *Config) XXX_DiscardUnknown()

func (*Config) XXX_Marshal added in v0.2.5 

func (m *Config) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*Config) XXX_Merge added in v0.2.5 

func (dst *Config) XXX_Merge(src proto.Message)

func (*Config) XXX_Size added in v0.2.5 

func (m *Config) XXX_Size() int

func (*Config) XXX_Unmarshal added in v0.2.5 

func (m *Config) XXX_Unmarshal(b []byte) error

type EncryptionOptions 

type EncryptionOptions struct {
	Padding              int64                  `protobuf:"varint,1,opt,name=padding,proto3" json:"padding,omitempty"`
	Contents             EncryptionOptions_Mode `protobuf:"varint,2,opt,name=contents,proto3,enum=metadata.EncryptionOptions_Mode" json:"contents,omitempty"`
	Filenames            EncryptionOptions_Mode `protobuf:"varint,3,opt,name=filenames,proto3,enum=metadata.EncryptionOptions_Mode" json:"filenames,omitempty"`
	PolicyVersion        int64                  `protobuf:"varint,4,opt,name=policy_version,json=policyVersion,proto3" json:"policy_version,omitempty"`
	XXX_NoUnkeyedLiteral struct{}               `json:"-"`
	XXX_unrecognized     []byte                 `json:"-"`
	XXX_sizecache        int32                  `json:"-"`
}

Encryption policy specifics, corresponds to the fscrypt_policy struct

func (*EncryptionOptions) CheckValidity 

func (e *EncryptionOptions) CheckValidity() error

CheckValidity ensures each of the options is valid.

func (*EncryptionOptions) Descriptor 

func (*EncryptionOptions) Descriptor() ([]byte, []int)

func (*EncryptionOptions) GetContents 

func (m *EncryptionOptions) GetContents() EncryptionOptions_Mode

func (*EncryptionOptions) GetFilenames 

func (m *EncryptionOptions) GetFilenames() EncryptionOptions_Mode

func (*EncryptionOptions) GetPadding 

func (m *EncryptionOptions) GetPadding() int64

func (*EncryptionOptions) GetPolicyVersion added in v0.2.6 

func (m *EncryptionOptions) GetPolicyVersion() int64

func (*EncryptionOptions) ProtoMessage 

func (*EncryptionOptions) ProtoMessage()

func (*EncryptionOptions) Reset 

func (m *EncryptionOptions) Reset()

func (*EncryptionOptions) String 

func (m *EncryptionOptions) String() string

func (*EncryptionOptions) XXX_DiscardUnknown added in v0.2.5 

func (m *EncryptionOptions) XXX_DiscardUnknown()

func (*EncryptionOptions) XXX_Marshal added in v0.2.5 

func (m *EncryptionOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*EncryptionOptions) XXX_Merge added in v0.2.5 

func (dst *EncryptionOptions) XXX_Merge(src proto.Message)

func (*EncryptionOptions) XXX_Size added in v0.2.5 

func (m *EncryptionOptions) XXX_Size() int

func (*EncryptionOptions) XXX_Unmarshal added in v0.2.5 

func (m *EncryptionOptions) XXX_Unmarshal(b []byte) error

type EncryptionOptions_Mode 

type EncryptionOptions_Mode int32

Type of encryption; should match declarations of unix.FSCRYPT_MODE 

const (
	EncryptionOptions_default     EncryptionOptions_Mode = 0
	EncryptionOptions_AES_256_XTS EncryptionOptions_Mode = 1
	EncryptionOptions_AES_256_GCM EncryptionOptions_Mode = 2
	EncryptionOptions_AES_256_CBC EncryptionOptions_Mode = 3
	EncryptionOptions_AES_256_CTS EncryptionOptions_Mode = 4
	EncryptionOptions_AES_128_CBC EncryptionOptions_Mode = 5
	EncryptionOptions_AES_128_CTS EncryptionOptions_Mode = 6
	EncryptionOptions_Adiantum    EncryptionOptions_Mode = 9
)

func (EncryptionOptions_Mode) CheckValidity 

func (m EncryptionOptions_Mode) CheckValidity() error

CheckValidity ensures the mode has a name and isn't empty.

func (EncryptionOptions_Mode) EnumDescriptor 

func (EncryptionOptions_Mode) EnumDescriptor() ([]byte, []int)

func (EncryptionOptions_Mode) String 

func (x EncryptionOptions_Mode) String() string

type ErrAlreadyEncrypted added in v0.2.8 

type ErrAlreadyEncrypted struct {
	Path string
}

ErrAlreadyEncrypted indicates that the path is already encrypted.

func (*ErrAlreadyEncrypted) Error added in v0.2.8 

func (err *ErrAlreadyEncrypted) Error() string

type ErrBadEncryptionOptions 

type ErrBadEncryptionOptions struct {
	Path    string
	Options *EncryptionOptions
}

ErrBadEncryptionOptions indicates that unsupported encryption options were given.

func (*ErrBadEncryptionOptions) Error added in v0.2.8 

func (err *ErrBadEncryptionOptions) Error() string

type ErrDirectoryNotOwned added in v0.2.8 

type ErrDirectoryNotOwned struct {
	Path  string
	Owner uint32
}

ErrDirectoryNotOwned indicates a directory can't be encrypted because it's owned by another user.

func (*ErrDirectoryNotOwned) Error added in v0.2.8 

func (err *ErrDirectoryNotOwned) Error() string

type ErrNotEncrypted 

type ErrNotEncrypted struct {
	Path string
}

ErrNotEncrypted indicates that the path is not encrypted.

func (*ErrNotEncrypted) Error added in v0.2.8 

func (err *ErrNotEncrypted) Error() string

type HashingCosts 

type HashingCosts struct {
	Time                 int64    `protobuf:"varint,2,opt,name=time,proto3" json:"time,omitempty"`
	Memory               int64    `protobuf:"varint,3,opt,name=memory,proto3" json:"memory,omitempty"`
	Parallelism          int64    `protobuf:"varint,4,opt,name=parallelism,proto3" json:"parallelism,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

Cost parameters to be used in our hashing functions.

func (*HashingCosts) CheckValidity 

func (h *HashingCosts) CheckValidity() error

CheckValidity ensures the hash costs will be accepted by Argon2.

func (*HashingCosts) Descriptor 

func (*HashingCosts) Descriptor() ([]byte, []int)

func (*HashingCosts) GetMemory 

func (m *HashingCosts) GetMemory() int64

func (*HashingCosts) GetParallelism 

func (m *HashingCosts) GetParallelism() int64

func (*HashingCosts) GetTime 

func (m *HashingCosts) GetTime() int64

func (*HashingCosts) ProtoMessage 

func (*HashingCosts) ProtoMessage()

func (*HashingCosts) Reset 

func (m *HashingCosts) Reset()

func (*HashingCosts) String 

func (m *HashingCosts) String() string

func (*HashingCosts) XXX_DiscardUnknown added in v0.2.5 

func (m *HashingCosts) XXX_DiscardUnknown()

func (*HashingCosts) XXX_Marshal added in v0.2.5 

func (m *HashingCosts) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*HashingCosts) XXX_Merge added in v0.2.5 

func (dst *HashingCosts) XXX_Merge(src proto.Message)

func (*HashingCosts) XXX_Size added in v0.2.5 

func (m *HashingCosts) XXX_Size() int

func (*HashingCosts) XXX_Unmarshal added in v0.2.5 

func (m *HashingCosts) XXX_Unmarshal(b []byte) error

type Metadata 

type Metadata interface {
	CheckValidity() error
	proto.Message
}

Metadata is the interface to all of the protobuf structures that can be checked for validity.

type PolicyData 

type PolicyData struct {
	KeyDescriptor        string              `protobuf:"bytes,1,opt,name=key_descriptor,json=keyDescriptor,proto3" json:"key_descriptor,omitempty"`
	Options              *EncryptionOptions  `protobuf:"bytes,2,opt,name=options,proto3" json:"options,omitempty"`
	WrappedPolicyKeys    []*WrappedPolicyKey `protobuf:"bytes,3,rep,name=wrapped_policy_keys,json=wrappedPolicyKeys,proto3" json:"wrapped_policy_keys,omitempty"`
	XXX_NoUnkeyedLiteral struct{}            `json:"-"`
	XXX_unrecognized     []byte              `json:"-"`
	XXX_sizecache        int32               `json:"-"`
}

The associated data for each policy

func GetPolicy 

func GetPolicy(path string) (*PolicyData, error)

GetPolicy returns the Policy data for the given directory or file (includes the KeyDescriptor and the encryption options). Returns an error if the path is not encrypted or the policy couldn't be retrieved.

func (*PolicyData) CheckValidity 

func (p *PolicyData) CheckValidity() error

CheckValidity ensures the fields and each wrapped key are valid.

func (*PolicyData) Descriptor 

func (*PolicyData) Descriptor() ([]byte, []int)

func (*PolicyData) GetKeyDescriptor 

func (m *PolicyData) GetKeyDescriptor() string

func (*PolicyData) GetOptions 

func (m *PolicyData) GetOptions() *EncryptionOptions

func (*PolicyData) GetWrappedPolicyKeys 

func (m *PolicyData) GetWrappedPolicyKeys() []*WrappedPolicyKey

func (*PolicyData) ProtoMessage 

func (*PolicyData) ProtoMessage()

func (*PolicyData) Reset 

func (m *PolicyData) Reset()

func (*PolicyData) String 

func (m *PolicyData) String() string

func (*PolicyData) XXX_DiscardUnknown added in v0.2.5 

func (m *PolicyData) XXX_DiscardUnknown()

func (*PolicyData) XXX_Marshal added in v0.2.5 

func (m *PolicyData) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*PolicyData) XXX_Merge added in v0.2.5 

func (dst *PolicyData) XXX_Merge(src proto.Message)

func (*PolicyData) XXX_Size added in v0.2.5 

func (m *PolicyData) XXX_Size() int

func (*PolicyData) XXX_Unmarshal added in v0.2.5 

func (m *PolicyData) XXX_Unmarshal(b []byte) error

type ProtectorData 

type ProtectorData struct {
	ProtectorDescriptor string     `protobuf:"bytes,1,opt,name=protector_descriptor,json=protectorDescriptor,proto3" json:"protector_descriptor,omitempty"`
	Source              SourceType `protobuf:"varint,2,opt,name=source,proto3,enum=metadata.SourceType" json:"source,omitempty"`
	// These are only used by some of the protector types
	Name                 string          `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"`
	Costs                *HashingCosts   `protobuf:"bytes,4,opt,name=costs,proto3" json:"costs,omitempty"`
	Salt                 []byte          `protobuf:"bytes,5,opt,name=salt,proto3" json:"salt,omitempty"`
	Uid                  int64           `protobuf:"varint,6,opt,name=uid,proto3" json:"uid,omitempty"`
	WrappedKey           *WrappedKeyData `protobuf:"bytes,7,opt,name=wrapped_key,json=wrappedKey,proto3" json:"wrapped_key,omitempty"`
	XXX_NoUnkeyedLiteral struct{}        `json:"-"`
	XXX_unrecognized     []byte          `json:"-"`
	XXX_sizecache        int32           `json:"-"`
}

The associated data for each protector

func (*ProtectorData) CheckValidity 

func (p *ProtectorData) CheckValidity() error

CheckValidity ensures our ProtectorData has the correct fields for its source.

func (*ProtectorData) Descriptor 

func (*ProtectorData) Descriptor() ([]byte, []int)

func (*ProtectorData) GetCosts 

func (m *ProtectorData) GetCosts() *HashingCosts

func (*ProtectorData) GetName 

func (m *ProtectorData) GetName() string

func (*ProtectorData) GetProtectorDescriptor 

func (m *ProtectorData) GetProtectorDescriptor() string

func (*ProtectorData) GetSalt 

func (m *ProtectorData) GetSalt() []byte

func (*ProtectorData) GetSource 

func (m *ProtectorData) GetSource() SourceType

func (*ProtectorData) GetUid 

func (m *ProtectorData) GetUid() int64

func (*ProtectorData) GetWrappedKey 

func (m *ProtectorData) GetWrappedKey() *WrappedKeyData

func (*ProtectorData) ProtoMessage 

func (*ProtectorData) ProtoMessage()

func (*ProtectorData) Reset 

func (m *ProtectorData) Reset()

func (*ProtectorData) String 

func (m *ProtectorData) String() string

func (*ProtectorData) XXX_DiscardUnknown added in v0.2.5 

func (m *ProtectorData) XXX_DiscardUnknown()

func (*ProtectorData) XXX_Marshal added in v0.2.5 

func (m *ProtectorData) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*ProtectorData) XXX_Merge added in v0.2.5 

func (dst *ProtectorData) XXX_Merge(src proto.Message)

func (*ProtectorData) XXX_Size added in v0.2.5 

func (m *ProtectorData) XXX_Size() int

func (*ProtectorData) XXX_Unmarshal added in v0.2.5 

func (m *ProtectorData) XXX_Unmarshal(b []byte) error

type SourceType 

type SourceType int32

Specifies the method in which an outside secret is obtained for a Protector 

const (
	SourceType_default           SourceType = 0
	SourceType_pam_passphrase    SourceType = 1
	SourceType_custom_passphrase SourceType = 2
	SourceType_raw_key           SourceType = 3
)

func (SourceType) CheckValidity 

func (s SourceType) CheckValidity() error

CheckValidity ensures the source has a name and isn't empty.

func (SourceType) EnumDescriptor 

func (SourceType) EnumDescriptor() ([]byte, []int)

func (SourceType) String 

func (x SourceType) String() string

type WrappedKeyData 

type WrappedKeyData struct {
	IV                   []byte   `protobuf:"bytes,1,opt,name=IV,proto3" json:"IV,omitempty"`
	EncryptedKey         []byte   `protobuf:"bytes,2,opt,name=encrypted_key,json=encryptedKey,proto3" json:"encrypted_key,omitempty"`
	Hmac                 []byte   `protobuf:"bytes,3,opt,name=hmac,proto3" json:"hmac,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

This structure is used for our authenticated wrapping/unwrapping of keys.

func (*WrappedKeyData) CheckValidity 

func (w *WrappedKeyData) CheckValidity() error

CheckValidity ensures our buffers are the correct length.

func (*WrappedKeyData) Descriptor 

func (*WrappedKeyData) Descriptor() ([]byte, []int)

func (*WrappedKeyData) GetEncryptedKey 

func (m *WrappedKeyData) GetEncryptedKey() []byte

func (*WrappedKeyData) GetHmac 

func (m *WrappedKeyData) GetHmac() []byte

func (*WrappedKeyData) GetIV 

func (m *WrappedKeyData) GetIV() []byte

func (*WrappedKeyData) ProtoMessage 

func (*WrappedKeyData) ProtoMessage()

func (*WrappedKeyData) Reset 

func (m *WrappedKeyData) Reset()

func (*WrappedKeyData) String 

func (m *WrappedKeyData) String() string

func (*WrappedKeyData) XXX_DiscardUnknown added in v0.2.5 

func (m *WrappedKeyData) XXX_DiscardUnknown()

func (*WrappedKeyData) XXX_Marshal added in v0.2.5 

func (m *WrappedKeyData) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*WrappedKeyData) XXX_Merge added in v0.2.5 

func (dst *WrappedKeyData) XXX_Merge(src proto.Message)

func (*WrappedKeyData) XXX_Size added in v0.2.5 

func (m *WrappedKeyData) XXX_Size() int

func (*WrappedKeyData) XXX_Unmarshal added in v0.2.5 

func (m *WrappedKeyData) XXX_Unmarshal(b []byte) error

type WrappedPolicyKey 

type WrappedPolicyKey struct {
	ProtectorDescriptor  string          `protobuf:"bytes,1,opt,name=protector_descriptor,json=protectorDescriptor,proto3" json:"protector_descriptor,omitempty"`
	WrappedKey           *WrappedKeyData `protobuf:"bytes,2,opt,name=wrapped_key,json=wrappedKey,proto3" json:"wrapped_key,omitempty"`
	XXX_NoUnkeyedLiteral struct{}        `json:"-"`
	XXX_unrecognized     []byte          `json:"-"`
	XXX_sizecache        int32           `json:"-"`
}

func (*WrappedPolicyKey) CheckValidity 

func (w *WrappedPolicyKey) CheckValidity() error

CheckValidity ensures the fields are valid and have the correct lengths.

func (*WrappedPolicyKey) Descriptor 

func (*WrappedPolicyKey) Descriptor() ([]byte, []int)

func (*WrappedPolicyKey) GetProtectorDescriptor 

func (m *WrappedPolicyKey) GetProtectorDescriptor() string

func (*WrappedPolicyKey) GetWrappedKey 

func (m *WrappedPolicyKey) GetWrappedKey() *WrappedKeyData

func (*WrappedPolicyKey) ProtoMessage 

func (*WrappedPolicyKey) ProtoMessage()

func (*WrappedPolicyKey) Reset 

func (m *WrappedPolicyKey) Reset()

func (*WrappedPolicyKey) String 

func (m *WrappedPolicyKey) String() string

func (*WrappedPolicyKey) XXX_DiscardUnknown added in v0.2.5 

func (m *WrappedPolicyKey) XXX_DiscardUnknown()

func (*WrappedPolicyKey) XXX_Marshal added in v0.2.5 

func (m *WrappedPolicyKey) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*WrappedPolicyKey) XXX_Merge added in v0.2.5 

func (dst *WrappedPolicyKey) XXX_Merge(src proto.Message)

func (*WrappedPolicyKey) XXX_Size added in v0.2.5 

func (m *WrappedPolicyKey) XXX_Size() int

func (*WrappedPolicyKey) XXX_Unmarshal added in v0.2.5 

func (m *WrappedPolicyKey) XXX_Unmarshal(b []byte) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.