aescrypt_rs/encryption/mod.rs
1// src/core/encryption/mod.rs
2
3//! AES Crypt v3 encryption surface.
4//!
5//! This crate writes the AES Crypt v3 format only; v0–v2 are not supported on
6//! the write side. The high-level entry point is [`encrypt()`], which composes
7//! every helper exposed here into a complete `.aes` file. The lower-level
8//! pieces are public so that callers integrating with custom containers
9//! (mmap'd files, framed network protocols, etc.) can drive each stage
10//! themselves.
11//!
12//! # Layout of a v3 file
13//!
14//! ```text
15//! +----------------------------------+
16//! | "AES" 0x03 0x00 | write_header
17//! | extensions (0x00 0x00 to end) | write_extensions
18//! | iterations (4 BE bytes) | write_iterations
19//! | public IV (16 bytes) | write_public_iv
20//! | encrypted session block (48 B) | encrypt_session_block + write_octets
21//! | session HMAC (32 bytes) | write_hmac
22//! | ciphertext stream + payload HMAC | encrypt_stream
23//! +----------------------------------+
24//! ```
25//!
26//! # Security
27//!
28//! See the [crate-level Security Model](crate#security-model) for the
29//! full primitive list. Briefly: AES-256-CBC + HMAC-SHA256 over the encrypted
30//! session block and ciphertext, PBKDF2-HMAC-SHA512 for password hardening,
31//! [`secure-gate`]-managed memory for every secret. Random IVs and session
32//! keys come from the [`secure-gate`] CSPRNG.
33//!
34//! [`secure-gate`]: https://github.com/Slurp9187/secure-gate
35
36pub(crate) mod encrypt;
37pub(crate) mod session;
38pub(crate) mod stream;
39pub(crate) mod write;
40
41pub use encrypt::encrypt;
42pub use session::{derive_setup_key, encrypt_session_block};
43pub use stream::encrypt_stream;
44pub use write::{
45 write_extensions, write_header, write_hmac, write_iterations, write_octets, write_public_iv,
46};