md_src_plugins_crypto_README(3) README


  • libgcrypt20-dev or libgcrypt-devel


The crypto plugin will encrypt and decrypt values using AES-256 in CBC mode.

The key derivation is still WIP.

Planned Features

  • Encryption of values
  • Decryption of values
  • Key derivation by metadata (password provided within a meta-key)
  • Key derivation by using a specified key-file (like the SSH client does)
  • Key derivation by utilizing the pgp-agent

The encryption and decryption of values is a straight forward process, once the key and IV are supplied. The key-derivation process in a library is a bit tricky.

The crypto plugin itself can hold configuration data about the order of the applied key derivation functions. For example, if a password is provided by a meta-key, it will be used, otherwise we look for a key file. If no key file has been configured, we try to trigger the PGP agent, etc.

The following example configuration illustrates this concept:

    system/elektra/crypto/config/key-derivation/#0 = meta
    system/elektra/crypto/config/key-derivation/#1 = file
    system/elektra/crypto/config/key-derivation/#2 = agent
    system/elektra/crypto/config/key-file/path/#0 = ~/.elektra/id_aes
    system/elektra/crypto/config/key-file/path/#1 = /etc/elektra/id_aes

Only keys marked with a certain meta-key will be considered for encryption/decryption.


Metadata based encyption

You specify the parameters of the cryptographic operations in a KeySet together with the keys to be encrypted. The following parameters are required:

  • Key - the symmetric cryptographic key for encryption
  • IV - the initialization vector (IV) that is required by the CBC mode

The following keys are required for metadata based encryption:


You can use the following meta-key to mark a key for encryption:


If this meta-key has a value with a string-length greater than 0 (strlen() > 0) then the crypto-plugin will try to encrypt it.