Module fog_crypto::stream
source · [−]Expand description
Symmetric-Key encryption.
This submodule provides a StreamKey
for symmetric encryption & decryption of any lockbox
type. Each StreamKey
has a corresponding StreamId
for easily identifying the key needed to
decrypt a lockbox.
Example
// Make a new temporary key
let mut csprng = rand::rngs::OsRng {};
let key = StreamKey::new_temp(&mut csprng);
let id = key.id().clone();
println!("StreamId(Base58): {}", key.id());
// Encrypt some data with the key, then turn it into a byte vector
let data = b"I am sensitive information, about to be encrypted";
let lockbox = key.encrypt_data(&mut csprng, data.as_ref());
let mut encoded = Vec::new();
encoded.extend_from_slice(lockbox.as_bytes());
// Decrypt that data with the same key
let dec_lockbox = DataLockboxRef::from_bytes(encoded.as_ref())?;
let dec_data = key.decrypt_data(&dec_lockbox)?;
Algorithms
The current (and only) algorithm for symmetric encryption is XChaCha20 with a Poly1305 AEAD construction (XChaCha20Poly1305).
The StreamId
is computed by taking the 32-byte secret key and hashing it with BLAKE2b, with
the parameters: no key, no salt, and a persona set to “fog-crypto-sid”. 32 bytes of the output
hash are used to create the StreamId
.
Format
A StreamId
is encoded as a version byte followed by the key itself, whose length is dependant
on the version. For XChaCha20Poly1305, it is 32 bytes plus the version byte.
A StreamKey
is also encoded as a version byte followed by the key itself, whose length is
dependant on the version. For XChaCha20Poly1305, it is 32 bytes plus the version byte. This
encoding is only ever used for the payload of a StreamLockbox
.
See the lockbox
module for documentation on the encoding format for
encrypted payloads.
Structs
A self-contained implementor of StreamInterface
. It’s expected this will be used unless the
symmetric key is being managed by the OS or a hardware module.
An identifier for a corresponding StreamKey
. It is primarily used to indicate lockboxes are
meant for that particular key.
Stream Key that allows encrypting data into a Lockbox
and decrypting it later.
Constants
Default symmetric-key encryption algorithm version.
Maximum accepted symmetric-key encryption algorithm version.
Minimum accepted symmetric-key encryption algorithm version.
Traits
A symmetric encryption/decryption interface, implemented by anything that can hold a symmetric encryption key.
Functions
Create a new StreamKey
to hold a StreamInterface
implementation. Can be used by
implementors of a vault when making new StreamKey
instances.
Compute the corresponding StreamId for a given raw key.
Encrypt data with a StreamKey
, returning a raw byte vector. Implementors of the
StreamInterface can use this when building various lockboxes without it showing up in the
regular StreamKey interface.