engine

Module snapshot

Source
Expand description

This crate defines and implements the encrypted offline storage format used by the Stronghold ecosystem.

The format has a header with version and magic bytes to appease applications wishing to provide file-type detection.

The data stored within a snapshot is considered opaque and uses 256 bit keys. It provides recommended ways to derive the snapshot encryption key from a user provided password. The format also allows using an authenticated data bytestring to further protect the offline snapshot files (one might consider using a secondary user password strengthened by an HSM).

The current version of the format is using X25519 together with an ephemeral key to derive a shared key for the symmetric XChaCha20 cipher and uses the Poly1305 message authentication algorithm. Future versions, when the demands for larger snapshot sizes and/or random access is desired, might consider encrypting smaller chunks (B-trees?) or similar using per chunk derived ephemeral keys.

Modules§

files
migration

Structs§

Lz4DecodeError

Enums§

ReadError
WriteError

Constants§

KEY_SIZE
Key size for the ephemeral key
MAGIC
Magic bytes (bytes 0-4 in a snapshot file) aka PARTI
VERSION
Current version bytes (bytes 5-6 in a snapshot file)

Functions§

compress
Compress data using an LZ4 Algorithm.
decompress
Decompress data using an LZ4 Algorithm.
decrypt_content
Decrypt snapshot content with key using maximum work factor recommended for password-based (weak) keys.
decrypt_content_with_work_factor
Decrypt snapshot content with key using custom maximum work factor.
decrypt_file
Check the file header, decrypt_content, and decompress the ciphertext from the specified path.
encrypt_content
Encrypt snapshot content with key using work factor recommended for password-based (weak) keys.
encrypt_content_with_work_factor
Encrypt snapshot content with key using custom work factor.
encrypt_file
Put magic and version bytes as file-header, encrypt_content the specified plaintext to the specified path.
get_encrypt_work_factor
try_set_encrypt_work_factor

Type Aliases§

Key
Key type alias.