Expand description
Content Hash Key (CHK) encryption for HashTree
⚠️ EXPERIMENTAL: Encryption API is unstable and may change.
Uses convergent encryption where the key is derived from the content itself. This enables deduplication: same content → same ciphertext.
Algorithm:
- content_hash = SHA256(plaintext)
- key = HKDF-SHA256(content_hash, salt=“hashtree-chk”, info=“encryption-key”)
- ciphertext = AES-256-GCM(key, zero_nonce, plaintext)
Zero nonce is safe because CHK guarantees same key = same content.
Format: [ciphertext][16-byte auth tag]
The content_hash acts as the “decryption key” - store it securely.
Enums§
- Crypto
Error - Encryption error
Functions§
- content_
hash - Compute content hash (SHA256) - this becomes the decryption key for CHK
- could_
be_ encrypted - Check if data could be encrypted (based on minimum size for non-CHK)
- decrypt
- Decrypt with a provided key (non-CHK)
- decrypt_
chk - CHK decrypt: derive key from content_hash, decrypt with zero nonce
- encrypt
- Encrypt with a provided key (non-CHK, random nonce)
- encrypt_
chk - CHK encrypt: derive key from content, encrypt with zero nonce
- encrypted_
size - Calculate encrypted size for given plaintext size (non-CHK with nonce prefix)
- encrypted_
size_ chk - Calculate encrypted size for CHK (no nonce prefix)
- generate_
key - Generate a random 32-byte key (for non-CHK encryption)
- key_
from_ hex - Convert hex string to key
- key_
to_ hex - Convert key to hex string
- plaintext_
size - Calculate plaintext size from encrypted size (non-CHK)
Type Aliases§
- Encryption
Key - 32-byte encryption key (256 bits) - this is the content hash