enc_file 0.6.3

Password-based file encryption tool with a versioned header, AEAD, Argon2id KDF, and streaming mode. Library + CLI + GUI.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

//! Named symmetric key map management.

use crate::file::write_all_atomic;
use crate::types::{EncFileError, EncryptOptions, KeyMap};
use secrecy::SecretString;
use std::fs::File;
use std::io::Read;
use std::path::Path;
use zeroize::Zeroize;

/// Load an encrypted key map from disk using a password.
///
/// The key map is expected to be an encrypted CBOR-encoded HashMap
/// created by `save_keymap`.
///
/// # Arguments
///
/// * `path` - Path to the encrypted key map file
/// * `password` - Password used to encrypt the key map
///
/// # Returns
///
/// The decrypted key map containing string names mapped to key data.
pub fn load_keymap(path: &Path, password: SecretString) -> Result<KeyMap, EncFileError> {
    let mut data = Vec::new();
    File::open(path)?.read_to_end(&mut data)?;
    let mut pt = crate::decrypt_bytes(&data, password)?;
    let map: KeyMap = ciborium::de::from_reader(pt.as_slice())?;

    // Zeroize the plaintext keymap data after deserialization
    pt.zeroize();

    Ok(map)
}

/// Save a key map to disk encrypted with a password.
///
/// The key map is CBOR-encoded and then encrypted using the provided options.
/// On Unix systems, the output file permissions are set to 0600 for security.
///
/// # Arguments
///
/// * `path` - Output path for the encrypted key map
/// * `password` - Password to encrypt the key map with
/// * `map` - The key map to save
/// * `opts` - Encryption options (streaming is not supported for key maps)
///
/// # Errors
///
/// Returns `EncFileError::Invalid` if streaming mode is requested, as key maps
/// don't support streaming encryption.
pub fn save_keymap(
    path: &Path,
    password: SecretString,
    map: &KeyMap,
    opts: &EncryptOptions,
) -> Result<(), EncFileError> {
    let mut pt = Vec::new();
    ciborium::ser::into_writer(map, &mut pt)?;
    let bytes = if opts.stream {
        return Err(EncFileError::Invalid("keymap: streaming not supported"));
    } else {
        crate::encrypt_bytes(&pt, password, opts)?
    };

    // Zeroize the plaintext serialized keymap data after encryption
    pt.zeroize();

    write_all_atomic(path, &bytes, true)?;
    Ok(())
}