metadata

package
v0.2.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 23, 2018 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Overview

Package metadata contains all of the on disk structures. These structures are defined in metadata.proto. The package also contains functions for manipulating these structures, specifically:

  • Reading and Writing the Config file to disk
  • Getting and Setting Policies for directories
  • Reasonable defaults for a Policy's EncryptionOptions

Package metadata is a generated protocol buffer package.

It is generated from these files: 

metadata/metadata.proto

It has these top-level messages: 

HashingCosts
WrappedKeyData
ProtectorData
EncryptionOptions
WrappedPolicyKey
PolicyData
Config

Index

Constants

View Source 
const (
	// DescriptorLen is the length of all Protector and Policy descriptors.
	DescriptorLen = 2 * unix.FS_KEY_DESCRIPTOR_SIZE
	// We always use 256-bit keys internally (compared to 512-bit policy keys).
	InternalKeyLen = 32
	IVLen          = 16
	SaltLen        = 16
	// We use SHA256 for the HMAC, and len(HMAC) == len(hash size).
	HMACLen = sha256.Size
	// PolicyKeyLen is the length of all keys passed directly to the Keyring
	PolicyKeyLen = unix.FS_MAX_KEY_SIZE
)

Lengths for our keys, buffers, and strings used in fscrypt.

Variables

View Source 
var (
	// DefaultOptions use the supported encryption modes and max padding.
	DefaultOptions = &EncryptionOptions{
		Padding:   32,
		Contents:  EncryptionOptions_AES_256_XTS,
		Filenames: EncryptionOptions_AES_256_CTS,
	}
	// DefaultSource is the source we use if none is specified.
	DefaultSource = SourceType_custom_passphrase
)
View Source 
var (
	ErrEncryptionNotSupported = errors.New("encryption not supported")
	ErrEncryptionNotEnabled   = errors.New("encryption not enabled")
	ErrNotEncrypted           = errors.New("file or directory not encrypted")
	ErrEncrypted              = errors.New("file or directory already encrypted")
	ErrBadEncryptionOptions   = util.SystemError("invalid encryption options provided")
)

Encryption specific errors

View Source 
var EncryptionOptions_Mode_name = map[int32]string{
	0: "default",
	1: "AES_256_XTS",
	2: "AES_256_GCM",
	3: "AES_256_CBC",
	4: "AES_256_CTS",
	5: "AES_128_CBC",
	6: "AES_128_CTS",
}
View Source 
var EncryptionOptions_Mode_value = map[string]int32{
	"default":     0,
	"AES_256_XTS": 1,
	"AES_256_GCM": 2,
	"AES_256_CBC": 3,
	"AES_256_CTS": 4,
	"AES_128_CBC": 5,
	"AES_128_CTS": 6,
}
View Source 
var SourceType_name = map[int32]string{
	0: "default",
	1: "pam_passphrase",
	2: "custom_passphrase",
	3: "raw_key",
}
View Source 
var SourceType_value = map[string]int32{
	"default":           0,
	"pam_passphrase":    1,
	"custom_passphrase": 2,
	"raw_key":           3,
}

Functions

func CheckSupport 

func CheckSupport(path string) error

CheckSupport returns an error if the filesystem containing path does not support filesystem encryption. This can be for many reasons including an incompatible kernel or filesystem or not enabling the right feature flags.

func SetPolicy 

func SetPolicy(path string, data *PolicyData) error

SetPolicy sets up the specified directory to be encrypted with the specified policy. Returns an error if we cannot set the policy for any reason (not a directory, invalid options or KeyDescriptor, etc).

func WriteConfig 

func WriteConfig(config *Config, out io.Writer) error

WriteConfig outputs the Config data as nicely formatted JSON

Types

type Config 

type Config struct {
	Source        SourceType         `protobuf:"varint,1,opt,name=source,enum=metadata.SourceType" json:"source,omitempty"`
	HashCosts     *HashingCosts      `protobuf:"bytes,2,opt,name=hash_costs,json=hashCosts" json:"hash_costs,omitempty"`
	Compatibility string             `protobuf:"bytes,3,opt,name=compatibility" json:"compatibility,omitempty"`
	Options       *EncryptionOptions `protobuf:"bytes,4,opt,name=options" json:"options,omitempty"`
}

Data stored in the config file

func ReadConfig 

func ReadConfig(in io.Reader) (*Config, error)

ReadConfig writes the JSON data into the config structure

func (*Config) CheckValidity 

func (c *Config) CheckValidity() error

CheckValidity ensures the Config has all the necessary info for its Source.

func (*Config) Descriptor 

func (*Config) Descriptor() ([]byte, []int)

func (*Config) GetCompatibility 

func (m *Config) GetCompatibility() string

func (*Config) GetHashCosts 

func (m *Config) GetHashCosts() *HashingCosts

func (*Config) GetOptions 

func (m *Config) GetOptions() *EncryptionOptions

func (*Config) GetSource 

func (m *Config) GetSource() SourceType

func (*Config) HasCompatibilityOption 

func (c *Config) HasCompatibilityOption(option string) bool

HasCompatibilityOption returns true if the specified string is in the list of compatibility options. This assumes the compatibility options are in a comma separated string.

func (*Config) ProtoMessage 

func (*Config) ProtoMessage()

func (*Config) Reset 

func (m *Config) Reset()

func (*Config) String 

func (m *Config) String() string

type EncryptionOptions 

type EncryptionOptions struct {
	Padding   int64                  `protobuf:"varint,1,opt,name=padding" json:"padding,omitempty"`
	Contents  EncryptionOptions_Mode `protobuf:"varint,2,opt,name=contents,enum=metadata.EncryptionOptions_Mode" json:"contents,omitempty"`
	Filenames EncryptionOptions_Mode `protobuf:"varint,3,opt,name=filenames,enum=metadata.EncryptionOptions_Mode" json:"filenames,omitempty"`
}

Encryption policy specifics, corresponds to the fscrypt_policy struct

func (*EncryptionOptions) CheckValidity 

func (e *EncryptionOptions) CheckValidity() error

CheckValidity ensures each of the options is valid.

func (*EncryptionOptions) Descriptor 

func (*EncryptionOptions) Descriptor() ([]byte, []int)

func (*EncryptionOptions) GetContents 

func (m *EncryptionOptions) GetContents() EncryptionOptions_Mode

func (*EncryptionOptions) GetFilenames 

func (m *EncryptionOptions) GetFilenames() EncryptionOptions_Mode

func (*EncryptionOptions) GetPadding 

func (m *EncryptionOptions) GetPadding() int64

func (*EncryptionOptions) ProtoMessage 

func (*EncryptionOptions) ProtoMessage()

func (*EncryptionOptions) Reset 

func (m *EncryptionOptions) Reset()

func (*EncryptionOptions) String 

func (m *EncryptionOptions) String() string

type EncryptionOptions_Mode 

type EncryptionOptions_Mode int32

Type of encryption; should match declarations of unix.FS_ENCRYPTION_MODE 

const (
	EncryptionOptions_default     EncryptionOptions_Mode = 0
	EncryptionOptions_AES_256_XTS EncryptionOptions_Mode = 1
	EncryptionOptions_AES_256_GCM EncryptionOptions_Mode = 2
	EncryptionOptions_AES_256_CBC EncryptionOptions_Mode = 3
	EncryptionOptions_AES_256_CTS EncryptionOptions_Mode = 4
	EncryptionOptions_AES_128_CBC EncryptionOptions_Mode = 5
	EncryptionOptions_AES_128_CTS EncryptionOptions_Mode = 6
)

func (EncryptionOptions_Mode) CheckValidity 

func (m EncryptionOptions_Mode) CheckValidity() error

CheckValidity ensures the mode has a name and isn't empty.

func (EncryptionOptions_Mode) EnumDescriptor 

func (EncryptionOptions_Mode) EnumDescriptor() ([]byte, []int)

func (EncryptionOptions_Mode) String 

func (x EncryptionOptions_Mode) String() string

type HashingCosts 

type HashingCosts struct {
	Time        int64 `protobuf:"varint,2,opt,name=time" json:"time,omitempty"`
	Memory      int64 `protobuf:"varint,3,opt,name=memory" json:"memory,omitempty"`
	Parallelism int64 `protobuf:"varint,4,opt,name=parallelism" json:"parallelism,omitempty"`
}

Cost parameters to be used in our hashing functions.

func (*HashingCosts) CheckValidity 

func (h *HashingCosts) CheckValidity() error

CheckValidity ensures the hash costs will be accepted by Argon2.

func (*HashingCosts) Descriptor 

func (*HashingCosts) Descriptor() ([]byte, []int)

func (*HashingCosts) GetMemory 

func (m *HashingCosts) GetMemory() int64

func (*HashingCosts) GetParallelism 

func (m *HashingCosts) GetParallelism() int64

func (*HashingCosts) GetTime 

func (m *HashingCosts) GetTime() int64

func (*HashingCosts) ProtoMessage 

func (*HashingCosts) ProtoMessage()

func (*HashingCosts) Reset 

func (m *HashingCosts) Reset()

func (*HashingCosts) String 

func (m *HashingCosts) String() string

type Metadata 

type Metadata interface {
	CheckValidity() error
	proto.Message
}

Metadata is the interface to all of the protobuf structures that can be checked for validity.

type PolicyData 

type PolicyData struct {
	KeyDescriptor     string              `protobuf:"bytes,1,opt,name=key_descriptor,json=keyDescriptor" json:"key_descriptor,omitempty"`
	Options           *EncryptionOptions  `protobuf:"bytes,2,opt,name=options" json:"options,omitempty"`
	WrappedPolicyKeys []*WrappedPolicyKey `protobuf:"bytes,3,rep,name=wrapped_policy_keys,json=wrappedPolicyKeys" json:"wrapped_policy_keys,omitempty"`
}

The associated data for each policy

func GetPolicy 

func GetPolicy(path string) (*PolicyData, error)

GetPolicy returns the Policy data for the given directory or file (includes the KeyDescriptor and the encryption options). Returns an error if the path is not encrypted or the policy couldn't be retrieved.

func (*PolicyData) CheckValidity 

func (p *PolicyData) CheckValidity() error

CheckValidity ensures the fields and each wrapped key are valid.

func (*PolicyData) Descriptor 

func (*PolicyData) Descriptor() ([]byte, []int)

func (*PolicyData) GetKeyDescriptor 

func (m *PolicyData) GetKeyDescriptor() string

func (*PolicyData) GetOptions 

func (m *PolicyData) GetOptions() *EncryptionOptions

func (*PolicyData) GetWrappedPolicyKeys 

func (m *PolicyData) GetWrappedPolicyKeys() []*WrappedPolicyKey

func (*PolicyData) ProtoMessage 

func (*PolicyData) ProtoMessage()

func (*PolicyData) Reset 

func (m *PolicyData) Reset()

func (*PolicyData) String 

func (m *PolicyData) String() string

type ProtectorData 

type ProtectorData struct {
	ProtectorDescriptor string     `protobuf:"bytes,1,opt,name=protector_descriptor,json=protectorDescriptor" json:"protector_descriptor,omitempty"`
	Source              SourceType `protobuf:"varint,2,opt,name=source,enum=metadata.SourceType" json:"source,omitempty"`
	// These are only used by some of the protector types
	Name       string          `protobuf:"bytes,3,opt,name=name" json:"name,omitempty"`
	Costs      *HashingCosts   `protobuf:"bytes,4,opt,name=costs" json:"costs,omitempty"`
	Salt       []byte          `protobuf:"bytes,5,opt,name=salt,proto3" json:"salt,omitempty"`
	Uid        int64           `protobuf:"varint,6,opt,name=uid" json:"uid,omitempty"`
	WrappedKey *WrappedKeyData `protobuf:"bytes,7,opt,name=wrapped_key,json=wrappedKey" json:"wrapped_key,omitempty"`
}

The associated data for each protector

func (*ProtectorData) CheckValidity 

func (p *ProtectorData) CheckValidity() error

CheckValidity ensures our ProtectorData has the correct fields for its source.

func (*ProtectorData) Descriptor 

func (*ProtectorData) Descriptor() ([]byte, []int)

func (*ProtectorData) GetCosts 

func (m *ProtectorData) GetCosts() *HashingCosts

func (*ProtectorData) GetName 

func (m *ProtectorData) GetName() string

func (*ProtectorData) GetProtectorDescriptor 

func (m *ProtectorData) GetProtectorDescriptor() string

func (*ProtectorData) GetSalt 

func (m *ProtectorData) GetSalt() []byte

func (*ProtectorData) GetSource 

func (m *ProtectorData) GetSource() SourceType

func (*ProtectorData) GetUid 

func (m *ProtectorData) GetUid() int64

func (*ProtectorData) GetWrappedKey 

func (m *ProtectorData) GetWrappedKey() *WrappedKeyData

func (*ProtectorData) ProtoMessage 

func (*ProtectorData) ProtoMessage()

func (*ProtectorData) Reset 

func (m *ProtectorData) Reset()

func (*ProtectorData) String 

func (m *ProtectorData) String() string

type SourceType 

type SourceType int32

Specifies the method in which an outside secret is obtained for a Protector 

const (
	SourceType_default           SourceType = 0
	SourceType_pam_passphrase    SourceType = 1
	SourceType_custom_passphrase SourceType = 2
	SourceType_raw_key           SourceType = 3
)

func (SourceType) CheckValidity 

func (s SourceType) CheckValidity() error

CheckValidity ensures the source has a name and isn't empty.

func (SourceType) EnumDescriptor 

func (SourceType) EnumDescriptor() ([]byte, []int)

func (SourceType) String 

func (x SourceType) String() string

type WrappedKeyData 

type WrappedKeyData struct {
	IV           []byte `protobuf:"bytes,1,opt,name=IV,proto3" json:"IV,omitempty"`
	EncryptedKey []byte `protobuf:"bytes,2,opt,name=encrypted_key,json=encryptedKey,proto3" json:"encrypted_key,omitempty"`
	Hmac         []byte `protobuf:"bytes,3,opt,name=hmac,proto3" json:"hmac,omitempty"`
}

This structure is used for our authenticated wrapping/unwrapping of keys.

func (*WrappedKeyData) CheckValidity 

func (w *WrappedKeyData) CheckValidity() error

CheckValidity ensures our buffers are the correct length.

func (*WrappedKeyData) Descriptor 

func (*WrappedKeyData) Descriptor() ([]byte, []int)

func (*WrappedKeyData) GetEncryptedKey 

func (m *WrappedKeyData) GetEncryptedKey() []byte

func (*WrappedKeyData) GetHmac 

func (m *WrappedKeyData) GetHmac() []byte

func (*WrappedKeyData) GetIV 

func (m *WrappedKeyData) GetIV() []byte

func (*WrappedKeyData) ProtoMessage 

func (*WrappedKeyData) ProtoMessage()

func (*WrappedKeyData) Reset 

func (m *WrappedKeyData) Reset()

func (*WrappedKeyData) String 

func (m *WrappedKeyData) String() string

type WrappedPolicyKey 

type WrappedPolicyKey struct {
	ProtectorDescriptor string          `protobuf:"bytes,1,opt,name=protector_descriptor,json=protectorDescriptor" json:"protector_descriptor,omitempty"`
	WrappedKey          *WrappedKeyData `protobuf:"bytes,2,opt,name=wrapped_key,json=wrappedKey" json:"wrapped_key,omitempty"`
}

func (*WrappedPolicyKey) CheckValidity 

func (w *WrappedPolicyKey) CheckValidity() error

CheckValidity ensures the fields are valid and have the correct lengths.

func (*WrappedPolicyKey) Descriptor 

func (*WrappedPolicyKey) Descriptor() ([]byte, []int)

func (*WrappedPolicyKey) GetProtectorDescriptor 

func (m *WrappedPolicyKey) GetProtectorDescriptor() string

func (*WrappedPolicyKey) GetWrappedKey 

func (m *WrappedPolicyKey) GetWrappedKey() *WrappedKeyData

func (*WrappedPolicyKey) ProtoMessage 

func (*WrappedPolicyKey) ProtoMessage()

func (*WrappedPolicyKey) Reset 

func (m *WrappedPolicyKey) Reset()

func (*WrappedPolicyKey) String 

func (m *WrappedPolicyKey) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.