encryption

package
v0.12.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 28, 2019 License: AGPL-3.0 Imports: 14 Imported by: 0

Documentation

Index

Examples

Constants

View Source
const (
	// AESGCMNonceSize is the size of an AES-GCM nonce
	AESGCMNonceSize = 12
)

Variables

View Source
var ErrDecryptFailed = errs.Class("decryption failed, check encryption key")

ErrDecryptFailed is the errs class when the decryption fails

View Source
var ErrInvalidConfig = errs.Class("invalid encryption configuration")

ErrInvalidConfig is the errs class for invalid configuration

View Source
var Error = errs.Class("encryption error")

Error is the default encryption errs class

Functions

func CalcEncompassingBlocks

func CalcEncompassingBlocks(offset, length int64, blockSize int) (
	firstBlock, blockCount int64)

CalcEncompassingBlocks is a useful helper function that, given an offset, length, and blockSize, will tell you which blocks contain the requested offset and length

func CalcEncryptedSize

func CalcEncryptedSize(dataSize int64, scheme storj.EncryptionScheme) (int64, error)

CalcEncryptedSize calculates what would be the size of the cipher data after encrypting data with dataSize using a Transformer with the given encryption scheme.

func Decrypt

func Decrypt(cipherData []byte, cipher storj.Cipher, key *storj.Key, nonce *storj.Nonce) (data []byte, err error)

Decrypt decrypts cipherData with the given cipher, key and nonce

func DecryptAESGCM

func DecryptAESGCM(cipherData []byte, key *storj.Key, nonce *AESGCMNonce) (data []byte, err error)

DecryptAESGCM decrypts byte data with a key and nonce. The plain data is returned

func DecryptKey

func DecryptKey(keyToDecrypt storj.EncryptedPrivateKey, cipher storj.Cipher, key *storj.Key, nonce *storj.Nonce) (*storj.Key, error)

DecryptKey decrypts keyToDecrypt with the given cipher, key and nonce

func DecryptPath

func DecryptPath(path storj.Path, cipher storj.Cipher, key *storj.Key) (decrypted storj.Path, err error)

DecryptPath decrypts path with the given key

func DecryptSecretBox

func DecryptSecretBox(cipherData []byte, key *storj.Key, nonce *storj.Nonce) (data []byte, err error)

DecryptSecretBox decrypts byte data with a key and nonce. The plain data is returned

func DeriveContentKey

func DeriveContentKey(path storj.Path, key *storj.Key) (derivedKey *storj.Key, err error)

DeriveContentKey derives the key for the encrypted object data using the root key. This method must be called on an unencrypted path.

func DeriveKey

func DeriveKey(key *storj.Key, message string) (*storj.Key, error)

DeriveKey derives new key from the given key and message using HMAC-SHA512

func DerivePathKey

func DerivePathKey(path storj.Path, key *storj.Key, depth int) (derivedKey *storj.Key, err error)

DerivePathKey derives the key for the given depth from the given root key. This method must be called on an unencrypted path.

func Encrypt

func Encrypt(data []byte, cipher storj.Cipher, key *storj.Key, nonce *storj.Nonce) (cipherData []byte, err error)

Encrypt encrypts data with the given cipher, key and nonce

func EncryptAESGCM

func EncryptAESGCM(data []byte, key *storj.Key, nonce *AESGCMNonce) (cipherData []byte, err error)

EncryptAESGCM encrypts byte data with a key and nonce. The cipher data is returned

func EncryptKey

func EncryptKey(keyToEncrypt *storj.Key, cipher storj.Cipher, key *storj.Key, nonce *storj.Nonce) (storj.EncryptedPrivateKey, error)

EncryptKey encrypts keyToEncrypt with the given cipher, key and nonce

func EncryptPath

func EncryptPath(path storj.Path, cipher storj.Cipher, key *storj.Key) (encrypted storj.Path, err error)

EncryptPath encrypts path with the given key

Example
package main

import (
	"encoding/hex"
	"fmt"

	"storj.io/storj/pkg/encryption"
	"storj.io/storj/pkg/storj"
)

func main() {
	var path = "fold1/fold2/fold3/file.txt"

	// seed
	seed := new(storj.Key)
	for i := range seed {
		seed[i] = byte(i)
	}
	fmt.Printf("root key (%d bytes): %s\n", len(seed), hex.EncodeToString(seed[:]))

	// use the seed for encrypting the path
	encryptedPath, err := encryption.EncryptPath(path, storj.AESGCM, seed)
	if err != nil {
		panic(err)
	}
	fmt.Println("path to encrypt:", path)
	fmt.Println("encrypted path: ", encryptedPath)

	// decrypting the path
	decryptedPath, err := encryption.DecryptPath(encryptedPath, storj.AESGCM, seed)
	if err != nil {
		panic(err)
	}
	fmt.Println("decrypted path: ", decryptedPath)

	// handling of shared path
	sharedPath := storj.JoinPaths(storj.SplitPath(encryptedPath)[2:]...)
	fmt.Println("shared path:    ", sharedPath)
	derivedKey, err := encryption.DerivePathKey(decryptedPath, seed, 2)
	if err != nil {
		panic(err)
	}

	fmt.Printf("derived key (%d bytes): %s\n", len(derivedKey), hex.EncodeToString(derivedKey[:]))
	decryptedPath, err = encryption.DecryptPath(sharedPath, storj.AESGCM, derivedKey)
	if err != nil {
		panic(err)
	}
	fmt.Println("decrypted path: ", decryptedPath)

}
Output:

root key (32 bytes): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
path to encrypt: fold1/fold2/fold3/file.txt
encrypted path:  urxuYzqG_ZlJfBhkGaz87WvvnCZaYD7qf1_ZN_Pd91n5/IyncDwLhWPv4F7EaoUivwICnUeJMWlUnMATL4faaoH2s/_1gitX6uPd3etc3RgoD9R1waT5MPKrlrY32ehz_vqlOv/6qO4DU5AHFabE2r7hmAauvnomvtNByuO-FCw4ch_xaVR3SPE
decrypted path:  fold1/fold2/fold3/file.txt
shared path:     _1gitX6uPd3etc3RgoD9R1waT5MPKrlrY32ehz_vqlOv/6qO4DU5AHFabE2r7hmAauvnomvtNByuO-FCw4ch_xaVR3SPE
derived key (32 bytes): 909db5ccf2b645e3352ee8212305596ed514d9f84d5acd21d93b4527d2a0c7e1
decrypted path:  fold3/file.txt

func EncryptSecretBox

func EncryptSecretBox(data []byte, key *storj.Key, nonce *storj.Nonce) (cipherData []byte, err error)

EncryptSecretBox encrypts byte data with a key and nonce. The cipher data is returned

func Increment

func Increment(nonce *storj.Nonce, amount int64) (truncated bool, err error)

Increment increments the nonce with the given amount

func Transform

func Transform(rr ranger.Ranger, t Transformer) (ranger.Ranger, error)

Transform will apply a Transformer to a Ranger.

func TransformReader

func TransformReader(r io.ReadCloser, t Transformer,
	startingBlockNum int64) io.ReadCloser

TransformReader applies a Transformer to a Reader. startingBlockNum should probably be 0 unless you know you're already starting at a block offset.

func TransformReaderSize

func TransformReaderSize(r io.ReadCloser, t Transformer,
	startingBlockNum int64, expectedSize int64) io.ReadCloser

TransformReaderSize creates a TransformReader with expected size, i.e. the number of bytes that is expected to be read from this reader. If less than the expected bytes are read, the reader will return io.ErrUnexpectedEOF instead of io.EOF.

Types

type AESGCMNonce

type AESGCMNonce [AESGCMNonceSize]byte

AESGCMNonce represents the nonce used by the AES-GCM protocol

func ToAESGCMNonce

func ToAESGCMNonce(nonce *storj.Nonce) *AESGCMNonce

ToAESGCMNonce returns the nonce as a AES-GCM nonce

type NoopTransformer

type NoopTransformer struct{}

NoopTransformer is a dummy Transformer that passes data through without modifying it

func (*NoopTransformer) InBlockSize

func (t *NoopTransformer) InBlockSize() int

InBlockSize is 1

func (*NoopTransformer) OutBlockSize

func (t *NoopTransformer) OutBlockSize() int

OutBlockSize is 1

func (*NoopTransformer) Transform

func (t *NoopTransformer) Transform(out, in []byte, blockNum int64) ([]byte, error)

Transform returns the input without modification

type Transformer

type Transformer interface {
	InBlockSize() int  // The block size prior to transformation
	OutBlockSize() int // The block size after transformation
	Transform(out, in []byte, blockNum int64) ([]byte, error)
}

A Transformer is a data transformation that may change the size of the blocks of data it operates on in a deterministic fashion.

func NewAESGCMDecrypter

func NewAESGCMDecrypter(key *storj.Key, startingNonce *AESGCMNonce, encryptedBlockSize int) (Transformer, error)

NewAESGCMDecrypter returns a Transformer that decrypts the data passing through with key. See the comments for NewAESGCMEncrypter about startingNonce.

func NewAESGCMEncrypter

func NewAESGCMEncrypter(key *storj.Key, startingNonce *AESGCMNonce, encryptedBlockSize int) (Transformer, error)

NewAESGCMEncrypter returns a Transformer that encrypts the data passing through with key.

startingNonce is treated as a big-endian encoded unsigned integer, and as blocks pass through, their block number and the starting nonce is added together to come up with that block's nonce. Encrypting different data with the same key and the same nonce is a huge security issue. It's safe to always encode new data with a random key and random startingNonce. The monotonically-increasing nonce (that rolls over) is to protect against data reordering.

When in doubt, generate a new key from crypto/rand and a startingNonce from crypto/rand as often as possible.

func NewDecrypter

func NewDecrypter(cipher storj.Cipher, key *storj.Key, startingNonce *storj.Nonce, encryptedBlockSize int) (Transformer, error)

NewDecrypter creates a Transformer using the given cipher, key and nonce to decrypt data passing through it

func NewEncrypter

func NewEncrypter(cipher storj.Cipher, key *storj.Key, startingNonce *storj.Nonce, encryptedBlockSize int) (Transformer, error)

NewEncrypter creates a Transformer using the given cipher, key and nonce to encrypt data passing through it

func NewSecretboxDecrypter

func NewSecretboxDecrypter(key *storj.Key, startingNonce *storj.Nonce, encryptedBlockSize int) (Transformer, error)

NewSecretboxDecrypter returns a Transformer that decrypts the data passing through with key. See the comments for NewSecretboxEncrypter about startingNonce.

func NewSecretboxEncrypter

func NewSecretboxEncrypter(key *storj.Key, startingNonce *storj.Nonce, encryptedBlockSize int) (Transformer, error)

NewSecretboxEncrypter returns a Transformer that encrypts the data passing through with key.

startingNonce is treated as a big-endian encoded unsigned integer, and as blocks pass through, their block number and the starting nonce is added together to come up with that block's nonce. Encrypting different data with the same key and the same nonce is a huge security issue. It's safe to always encode new data with a random key and random startingNonce. The monotonically-increasing nonce (that rolls over) is to protect against data reordering.

When in doubt, generate a new key from crypto/rand and a startingNonce from crypto/rand as often as possible.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL