Documentation
¶
Overview ¶
Package configfile reads and writes gocryptfs.conf does the key wrapping.
Index ¶
- Constants
- func Create(args *CreateArgs) error
- type ConfFile
- func (cf *ConfFile) ContentEncryption() (algo cryptocore.AEADTypeEnum, err error)
- func (cf *ConfFile) DecryptMasterKey(password []byte) (masterkey []byte, err error)
- func (cf *ConfFile) EncryptKey(key []byte, password []byte, logN int)
- func (cf *ConfFile) IsFeatureFlagSet(flagWant flagIota) bool
- func (cf *ConfFile) Validate() error
- func (cf *ConfFile) WriteFile() error
- type CreateArgs
- type FIDO2Params
- type ScryptKDF
Constants ¶
const ( // ConfDefaultName is the default configuration file name. // The dot "." is not used in base64url (RFC4648), hence // we can never clash with an encrypted file. ConfDefaultName = "gocryptfs.conf" // ConfReverseName is the default configuration file name in reverse mode, // the config file gets stored next to the plain-text files. Make it hidden // (start with dot) to not annoy the user. ConfReverseName = ".gocryptfs.reverse.conf" )
const ( // FlagPlaintextNames indicates that filenames are unencrypted. FlagPlaintextNames flagIota = iota // FlagDirIV indicates that a per-directory IV file is used. FlagDirIV // FlagEMENames indicates EME (ECB-Mix-ECB) filename encryption. // This flag is mandatory since gocryptfs v1.0. FlagEMENames // FlagGCMIV128 indicates 128-bit GCM IVs. // This flag is mandatory since gocryptfs v1.0, // except when XChaCha20Poly1305 is used. FlagGCMIV128 // FlagLongNames allows file names longer than 176 bytes. FlagLongNames // FlagAESSIV selects an AES-SIV based crypto backend. FlagAESSIV // FlagRaw64 enables raw (unpadded) base64 encoding for file names FlagRaw64 // FlagHKDF enables HKDF-derived keys for use with GCM, EME and SIV // instead of directly using the master key (GCM and EME) or the SHA-512 // hashed master key (SIV). // Note that this flag does not change the password hashing algorithm // which always is scrypt. FlagHKDF // FlagFIDO2 means that "-fido2" was used when creating the filesystem. // The masterkey is protected using a FIDO2 token instead of a password. FlagFIDO2 // FlagXChaCha20Poly1305 means we use XChaCha20-Poly1305 file content encryption FlagXChaCha20Poly1305 )
const ( // ScryptDefaultLogN is the default scrypt logN configuration parameter. // logN=16 (N=2^16) uses 64MB of memory and takes 4 seconds on my Atom Z3735F // netbook. ScryptDefaultLogN = 16 )
Variables ¶
This section is empty.
Functions ¶
func Create ¶
func Create(args *CreateArgs) error
Create - create a new config with a random key encrypted with "Password" and write it to "Filename". Uses scrypt with cost parameter "LogN".
Types ¶
type ConfFile ¶
type ConfFile struct {
// Creator is the gocryptfs version string.
// This only documents the config file for humans who look at it. The actual
// technical info is contained in FeatureFlags.
Creator string
// EncryptedKey holds an encrypted AES key, unlocked using a password
// hashed with scrypt
EncryptedKey []byte
// ScryptObject stores parameters for scrypt hashing (key derivation)
ScryptObject ScryptKDF
// Version is the On-Disk-Format version this filesystem uses
Version uint16
// FeatureFlags is a list of feature flags this filesystem has enabled.
// If gocryptfs encounters a feature flag it does not support, it will refuse
// mounting. This mechanism is analogous to the ext4 feature flags that are
// stored in the superblock.
FeatureFlags []string
// FIDO2 parameters
FIDO2 *FIDO2Params `json:",omitempty"`
// contains filtered or unexported fields
}
ConfFile is the content of a config file.
func LoadAndDecrypt ¶
LoadAndDecrypt - read config file from disk and decrypt the contained key using "password". Returns the decrypted key and the ConfFile object
If "password" is empty, the config file is read but the key is not decrypted (returns nil in its place).
func (*ConfFile) ContentEncryption ¶
func (cf *ConfFile) ContentEncryption() (algo cryptocore.AEADTypeEnum, err error)
ContentEncryption tells us which content encryption algorithm is selected
func (*ConfFile) DecryptMasterKey ¶
DecryptMasterKey decrypts the masterkey stored in cf.EncryptedKey using password.
func (*ConfFile) EncryptKey ¶
EncryptKey - encrypt "key" using an scrypt hash generated from "password" and store it in cf.EncryptedKey. Uses scrypt with cost parameter logN and stores the scrypt parameters in cf.ScryptObject.
func (*ConfFile) IsFeatureFlagSet ¶
IsFeatureFlagSet returns true if the feature flag "flagWant" is enabled.
type CreateArgs ¶
type CreateArgs struct {
Filename string
Password []byte
PlaintextNames bool
LogN int
Creator string
AESSIV bool
Fido2CredentialID []byte
Fido2HmacSalt []byte
DeterministicNames bool
XChaCha20Poly1305 bool
}
CreateArgs exists because the argument list to Create became too long.
type FIDO2Params ¶
type FIDO2Params struct {
// FIDO2 credential
CredentialID []byte
// FIDO2 hmac-secret salt
HMACSalt []byte
}
FIDO2Params is a structure for storing FIDO2 parameters.
type ScryptKDF ¶
type ScryptKDF struct {
// Salt is the random salt that is passed to scrypt
Salt []byte
// N: scrypt CPU/Memory cost parameter
N int
// R: scrypt block size parameter
R int
// P: scrypt parallelization parameter
P int
// KeyLen is the output data length
KeyLen int
}
ScryptKDF is an instance of the scrypt key deriviation function.
func NewScryptKDF ¶
NewScryptKDF returns a new instance of ScryptKDF.
Source Files