feat: Phase 4 Steps 1-2 - Encryption library (AES-256-GCM)
Implemented complete encryption infrastructure: internal/crypto/interface.go: - Encryptor interface with streaming encrypt/decrypt - EncryptionConfig with key management (file/env var) - EncryptionMetadata for backup metadata - Support for AES-256-GCM algorithm - KeyDeriver interface for PBKDF2 internal/crypto/aes.go: - AESEncryptor implementation - Streaming encryption (memory-efficient, 64KB chunks) - AES-256-GCM authenticated encryption - PBKDF2-SHA256 key derivation (600k iterations) - Random nonce generation per chunk - File and stream encryption/decryption - Key validation (32-byte requirement) Features: ✅ Streaming encryption (no memory bloat) ✅ Authenticated encryption (tamper detection) ✅ Secure key derivation (PBKDF2 + salt) ✅ Chunk-based encryption (64KB buffers) ✅ Nonce counter mode (prevents replay) ✅ File and stream APIs ✅ Clear error messages internal/crypto/aes_test.go: - Stream encryption/decryption tests - File encryption/decryption tests - Wrong key detection tests - Key derivation tests - Key validation tests - Large data (1MB) tests Test Results: ✅ TestAESEncryptionDecryption: PASS ✅ TestKeyDerivation: PASS (1.37s PBKDF2) ✅ TestKeyValidation: PASS ✅ TestLargeData: PASS (1MB streaming) Security Properties: - AES-256 (256-bit keys) - GCM mode (authenticated encryption) - PBKDF2 (600,000 iterations, OWASP compliant) - Random nonces (cryptographically secure) - 32-byte salt for key derivation Status: CORE ENCRYPTION READY ✅ Next: CLI integration (--encrypt flags)
This commit is contained in:
86
internal/crypto/interface.go
Normal file
86
internal/crypto/interface.go
Normal file
@@ -0,0 +1,86 @@
|
||||
package crypto
|
||||
|
||||
import (
|
||||
"io"
|
||||
)
|
||||
|
||||
// EncryptionAlgorithm represents the encryption algorithm used
|
||||
type EncryptionAlgorithm string
|
||||
|
||||
const (
|
||||
AlgorithmAES256GCM EncryptionAlgorithm = "aes-256-gcm"
|
||||
)
|
||||
|
||||
// EncryptionConfig holds encryption configuration
|
||||
type EncryptionConfig struct {
|
||||
// Enabled indicates whether encryption is enabled
|
||||
Enabled bool
|
||||
|
||||
// KeyFile is the path to a file containing the encryption key
|
||||
KeyFile string
|
||||
|
||||
// KeyEnvVar is the name of an environment variable containing the key
|
||||
KeyEnvVar string
|
||||
|
||||
// Algorithm specifies the encryption algorithm to use
|
||||
Algorithm EncryptionAlgorithm
|
||||
|
||||
// Key is the actual encryption key (derived from KeyFile or KeyEnvVar)
|
||||
Key []byte
|
||||
}
|
||||
|
||||
// Encryptor provides encryption and decryption capabilities
|
||||
type Encryptor interface {
|
||||
// Encrypt encrypts data from reader and returns an encrypted reader
|
||||
// The returned reader streams encrypted data without loading everything into memory
|
||||
Encrypt(reader io.Reader, key []byte) (io.Reader, error)
|
||||
|
||||
// Decrypt decrypts data from reader and returns a decrypted reader
|
||||
// The returned reader streams decrypted data without loading everything into memory
|
||||
Decrypt(reader io.Reader, key []byte) (io.Reader, error)
|
||||
|
||||
// EncryptFile encrypts a file in-place or to a new file
|
||||
EncryptFile(inputPath, outputPath string, key []byte) error
|
||||
|
||||
// DecryptFile decrypts a file in-place or to a new file
|
||||
DecryptFile(inputPath, outputPath string, key []byte) error
|
||||
|
||||
// Algorithm returns the encryption algorithm used by this encryptor
|
||||
Algorithm() EncryptionAlgorithm
|
||||
}
|
||||
|
||||
// KeyDeriver derives encryption keys from passwords/passphrases
|
||||
type KeyDeriver interface {
|
||||
// DeriveKey derives a key from a password using PBKDF2 or similar
|
||||
DeriveKey(password []byte, salt []byte, keyLength int) ([]byte, error)
|
||||
|
||||
// GenerateSalt generates a random salt for key derivation
|
||||
GenerateSalt() ([]byte, error)
|
||||
}
|
||||
|
||||
// EncryptionMetadata contains metadata about encrypted backups
|
||||
type EncryptionMetadata struct {
|
||||
// Algorithm used for encryption
|
||||
Algorithm string `json:"algorithm"`
|
||||
|
||||
// KeyDerivation method used (e.g., "pbkdf2-sha256")
|
||||
KeyDerivation string `json:"key_derivation,omitempty"`
|
||||
|
||||
// Salt used for key derivation (base64 encoded)
|
||||
Salt string `json:"salt,omitempty"`
|
||||
|
||||
// Nonce/IV used for encryption (base64 encoded)
|
||||
Nonce string `json:"nonce,omitempty"`
|
||||
|
||||
// Version of encryption format
|
||||
Version int `json:"version"`
|
||||
}
|
||||
|
||||
// DefaultConfig returns a default encryption configuration
|
||||
func DefaultConfig() *EncryptionConfig {
|
||||
return &EncryptionConfig{
|
||||
Enabled: false,
|
||||
Algorithm: AlgorithmAES256GCM,
|
||||
KeyEnvVar: "DBBACKUP_ENCRYPTION_KEY",
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user