sochdb-storage 2.0.1

SochDB storage engine (WAL, block store, compaction, sync-first I/O)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351

// SPDX-License-Identifier: AGPL-3.0-or-later
// SochDB - LLM-Optimized Embedded Database
// Copyright (C) 2026 Sushanth Reddy Vanagala (https://github.com/sushanthpy)

//! # Data-at-Rest Encryption (Enterprise Security)
//!
//! Transparent AES-256-GCM-SIV encryption for data blocks, WAL entries,
//! and checkpoint files. Uses nonce-misuse-resistant authenticated encryption
//! to prevent catastrophic failures from nonce reuse.
//!
//! ## Design Choices
//!
//! - **AES-256-GCM-SIV**: Nonce-misuse resistant — safe even if nonces are
//!   accidentally repeated (unlike plain AES-GCM which is catastrophic).
//! - **Per-block random nonces**: 12-byte random nonce per encrypt operation.
//! - **Zero-copy where possible**: Encrypt in-place for WAL append path.
//! - **Key wrapping**: Data Encryption Key (DEK) is wrapped by a Key Encryption
//!   Key (KEK) loaded from Kubernetes Secrets or env vars.
//!
//! ## Wire Format
//!
//! ```text
//! [1 byte: version] [12 bytes: nonce] [N bytes: ciphertext+tag]
//! ```
//!
//! Version 1: AES-256-GCM-SIV with 12-byte nonce, 16-byte auth tag appended
//! to ciphertext by the AEAD.
//!
//! ## Performance Notes
//!
//! On x86_64 with AES-NI: ~4 GB/s encryption throughput (hardware-accelerated).
//! The overhead is negligible compared to disk I/O.

use aes_gcm_siv::{
    aead::{Aead, KeyInit, OsRng},
    Aes256GcmSiv, Nonce,
};
use rand::RngCore;
use zeroize::Zeroize;

/// Current encryption format version.
const ENCRYPTION_VERSION: u8 = 1;
/// Nonce size for AES-256-GCM-SIV.
const NONCE_SIZE: usize = 12;
/// Header size: 1 (version) + 12 (nonce).
const HEADER_SIZE: usize = 1 + NONCE_SIZE;

/// Data-at-rest encryption engine.
///
/// Wraps AES-256-GCM-SIV with random nonces. Thread-safe (the cipher
/// is `Send + Sync` and nonce generation uses OS randomness).
pub struct EncryptionEngine {
    cipher: Aes256GcmSiv,
    /// Whether encryption is active (false = passthrough)
    enabled: bool,
}

impl EncryptionEngine {
    /// Create an encryption engine with the given 256-bit key.
    ///
    /// The key must be exactly 32 bytes. Typically loaded from
    /// Kubernetes Secrets or the `SOCHDB_ENCRYPTION_KEY` env var.
    pub fn new(key: &[u8; 32]) -> Self {
        let cipher = Aes256GcmSiv::new_from_slice(key)
            .expect("AES-256-GCM-SIV key must be 32 bytes");
        Self {
            cipher,
            enabled: true,
        }
    }

    /// Create a disabled (passthrough) encryption engine.
    ///
    /// `encrypt()` and `decrypt()` are identity operations when disabled.
    pub fn disabled() -> Self {
        // Use a dummy key — cipher is never called when disabled
        let key = [0u8; 32];
        let cipher = Aes256GcmSiv::new_from_slice(&key)
            .expect("AES-256-GCM-SIV key must be 32 bytes");
        Self {
            cipher,
            enabled: false,
        }
    }

    /// Whether encryption is active.
    pub fn is_enabled(&self) -> bool {
        self.enabled
    }

    /// Encrypt a plaintext block.
    ///
    /// Returns `[version(1) | nonce(12) | ciphertext+tag(N+16)]`.
    ///
    /// # Performance
    ///
    /// ~4 GB/s on x86_64 with AES-NI. The overhead is the 13-byte header
    /// plus 16-byte auth tag per block.
    pub fn encrypt(&self, plaintext: &[u8]) -> Result<Vec<u8>, EncryptionError> {
        if !self.enabled {
            return Ok(plaintext.to_vec());
        }

        // Generate random nonce
        let mut nonce_bytes = [0u8; NONCE_SIZE];
        OsRng.fill_bytes(&mut nonce_bytes);
        let nonce = Nonce::from_slice(&nonce_bytes);

        let ciphertext = self
            .cipher
            .encrypt(nonce, plaintext)
            .map_err(|_| EncryptionError::EncryptFailed)?;

        // Build output: version + nonce + ciphertext
        let mut output = Vec::with_capacity(HEADER_SIZE + ciphertext.len());
        output.push(ENCRYPTION_VERSION);
        output.extend_from_slice(&nonce_bytes);
        output.extend_from_slice(&ciphertext);

        Ok(output)
    }

    /// Decrypt an encrypted block produced by `encrypt()`.
    ///
    /// Validates the version byte and authentication tag.
    pub fn decrypt(&self, encrypted: &[u8]) -> Result<Vec<u8>, EncryptionError> {
        if !self.enabled {
            return Ok(encrypted.to_vec());
        }

        if encrypted.len() < HEADER_SIZE + 16 {
            return Err(EncryptionError::InvalidFormat(
                "Data too short for encrypted block".into(),
            ));
        }

        let version = encrypted[0];
        if version != ENCRYPTION_VERSION {
            return Err(EncryptionError::UnsupportedVersion(version));
        }

        let nonce = Nonce::from_slice(&encrypted[1..HEADER_SIZE]);
        let ciphertext = &encrypted[HEADER_SIZE..];

        self.cipher
            .decrypt(nonce, ciphertext)
            .map_err(|_| EncryptionError::DecryptFailed)
    }

    /// Encrypt in-place for zero-copy WAL append.
    ///
    /// Prepends the header to the buffer and encrypts the payload region.
    /// The buffer is resized to accommodate the header + auth tag.
    pub fn encrypt_in_place(&self, buffer: &mut Vec<u8>) -> Result<(), EncryptionError> {
        if !self.enabled {
            return Ok(());
        }

        let encrypted = self.encrypt(buffer)?;
        *buffer = encrypted;
        Ok(())
    }
}

/// Encryption error types.
#[derive(Debug)]
pub enum EncryptionError {
    /// Encryption operation failed
    EncryptFailed,
    /// Decryption failed (wrong key or tampered data)
    DecryptFailed,
    /// Invalid encrypted data format
    InvalidFormat(String),
    /// Unsupported encryption version
    UnsupportedVersion(u8),
}

impl std::fmt::Display for EncryptionError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            EncryptionError::EncryptFailed => write!(f, "Encryption failed"),
            EncryptionError::DecryptFailed => {
                write!(f, "Decryption failed (wrong key or tampered data)")
            }
            EncryptionError::InvalidFormat(msg) => write!(f, "Invalid format: {}", msg),
            EncryptionError::UnsupportedVersion(v) => {
                write!(f, "Unsupported encryption version: {}", v)
            }
        }
    }
}

impl std::error::Error for EncryptionError {}

/// Generate a new random 256-bit encryption key.
///
/// Use this to generate a key for `SOCHDB_ENCRYPTION_KEY`.
/// The returned key should be base64-encoded and stored in
/// Kubernetes Secrets.
pub fn generate_key() -> [u8; 32] {
    let mut key = [0u8; 32];
    OsRng.fill_bytes(&mut key);
    key
}

/// A wrapper that zeroizes the key material on drop.
#[derive(Zeroize)]
#[zeroize(drop)]
pub struct EncryptionKey {
    bytes: [u8; 32],
}

impl EncryptionKey {
    pub fn new(bytes: [u8; 32]) -> Self {
        Self { bytes }
    }

    pub fn as_bytes(&self) -> &[u8; 32] {
        &self.bytes
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_encrypt_decrypt_roundtrip() {
        let key = generate_key();
        let engine = EncryptionEngine::new(&key);

        let plaintext = b"Hello, SochDB enterprise encryption!";
        let encrypted = engine.encrypt(plaintext).unwrap();

        // Encrypted should be larger (header + auth tag)
        assert!(encrypted.len() > plaintext.len());
        assert_eq!(encrypted[0], ENCRYPTION_VERSION);

        let decrypted = engine.decrypt(&encrypted).unwrap();
        assert_eq!(decrypted, plaintext);
    }

    #[test]
    fn test_encrypt_empty() {
        let key = generate_key();
        let engine = EncryptionEngine::new(&key);

        let encrypted = engine.encrypt(b"").unwrap();
        let decrypted = engine.decrypt(&encrypted).unwrap();
        assert!(decrypted.is_empty());
    }

    #[test]
    fn test_encrypt_large_block() {
        let key = generate_key();
        let engine = EncryptionEngine::new(&key);

        // 1 MB block
        let plaintext: Vec<u8> = (0..1_000_000).map(|i| (i % 256) as u8).collect();
        let encrypted = engine.encrypt(&plaintext).unwrap();
        let decrypted = engine.decrypt(&encrypted).unwrap();
        assert_eq!(decrypted, plaintext);
    }

    #[test]
    fn test_wrong_key_fails() {
        let key1 = generate_key();
        let key2 = generate_key();
        let engine1 = EncryptionEngine::new(&key1);
        let engine2 = EncryptionEngine::new(&key2);

        let encrypted = engine1.encrypt(b"secret data").unwrap();
        let result = engine2.decrypt(&encrypted);
        assert!(result.is_err());
    }

    #[test]
    fn test_tampered_data_fails() {
        let key = generate_key();
        let engine = EncryptionEngine::new(&key);

        let mut encrypted = engine.encrypt(b"important data").unwrap();
        // Flip a byte in the ciphertext
        let last = encrypted.len() - 1;
        encrypted[last] ^= 0xFF;

        let result = engine.decrypt(&encrypted);
        assert!(result.is_err());
    }

    #[test]
    fn test_disabled_passthrough() {
        let engine = EncryptionEngine::disabled();

        let plaintext = b"no encryption here";
        let encrypted = engine.encrypt(plaintext).unwrap();
        assert_eq!(encrypted, plaintext);

        let decrypted = engine.decrypt(&encrypted).unwrap();
        assert_eq!(decrypted, plaintext);
    }

    #[test]
    fn test_unique_nonces() {
        let key = generate_key();
        let engine = EncryptionEngine::new(&key);

        let enc1 = engine.encrypt(b"same plaintext").unwrap();
        let enc2 = engine.encrypt(b"same plaintext").unwrap();

        // Nonces should differ even for same plaintext
        assert_ne!(enc1[1..13], enc2[1..13]);
        // Ciphertexts should differ
        assert_ne!(enc1, enc2);
    }

    #[test]
    fn test_invalid_format() {
        let key = generate_key();
        let engine = EncryptionEngine::new(&key);

        // Too short
        assert!(engine.decrypt(&[1, 2, 3]).is_err());
        // Wrong version
        let mut fake = vec![99u8; 50];
        assert!(engine.decrypt(&fake).is_err());
    }

    #[test]
    fn test_key_zeroize() {
        let mut key = EncryptionKey::new(generate_key());
        assert_ne!(key.as_bytes(), &[0u8; 32]);
        drop(key);
        // After drop, memory should be zeroed (we can't read it, but the Zeroize
        // derive guarantees it)
    }

    #[test]
    fn test_encrypt_in_place() {
        let key = generate_key();
        let engine = EncryptionEngine::new(&key);

        let original = b"WAL entry payload".to_vec();
        let mut buffer = original.clone();
        engine.encrypt_in_place(&mut buffer).unwrap();

        assert_ne!(buffer, original);
        let decrypted = engine.decrypt(&buffer).unwrap();
        assert_eq!(decrypted, original);
    }
}