Dependencies
- libgcrypt20-dev or libgcrypt-devel
Restrictions
The crypto plugin will encrypt and decrypt values using AES-256 in CBC mode.
The key derivation is still WIP.
Planned Features
- Encryption of values
- Decryption of values
- Key derivation by metadata (password provided within a meta-key)
- Key derivation by using a specified key-file (like the SSH client does)
- Key derivation by utilizing the pgp-agent
The encryption and decryption of values is a straight forward process, once the key and IV are supplied. The key-derivation process in a library is a bit tricky.
The crypto plugin itself can hold configuration data about the order of the applied key derivation functions. For example, if a password is provided by a meta-key, it will be used, otherwise we look for a key file. If no key file has been configured, we try to trigger the PGP agent, etc.
The following example configuration illustrates this concept:
system/elektra/crypto/config/key-derivation/#0 = meta
system/elektra/crypto/config/key-derivation/#1 = file
system/elektra/crypto/config/key-derivation/#2 = agent
system/elektra/crypto/config/key-file/path/#0 = ~/.elektra/id_aes
system/elektra/crypto/config/key-file/path/#1 = /etc/elektra/id_aes
Only keys marked with a certain meta-key will be considered for encryption/decryption.
Examples
Metadata based encyption
You specify the parameters of the cryptographic operations in a KeySet together with the keys to be encrypted. The following parameters are required:
- Key - the symmetric cryptographic key for encryption
- IV - the initialization vector (IV) that is required by the CBC mode
The following keys are required for metadata based encryption:
/elektra/modules/crypto/key-derivation/key
/elektra/modules/crypto/key-derivation/iv
You can use the following meta-key to mark a key for encryption:
crypto/encrypt
If this meta-key has a value with a string-length greater than 0 (strlen() > 0) then the crypto-plugin will try to encrypt it.