UUXO/dbbackup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 31 Wiki Activity
Files
2e942f04a48c6763d272aae6936350c7f00a2826
dbbackup/internal/crypto/interface.go
Renz 872f21c8cd feat: Phase 4 Steps 1-2 - Encryption library (AES-256-GCM) 
Implemented complete encryption infrastructure:

internal/crypto/interface.go:
- Encryptor interface with streaming encrypt/decrypt
- EncryptionConfig with key management (file/env var)
- EncryptionMetadata for backup metadata
- Support for AES-256-GCM algorithm
- KeyDeriver interface for PBKDF2

internal/crypto/aes.go:
- AESEncryptor implementation
- Streaming encryption (memory-efficient, 64KB chunks)
- AES-256-GCM authenticated encryption
- PBKDF2-SHA256 key derivation (600k iterations)
- Random nonce generation per chunk
- File and stream encryption/decryption
- Key validation (32-byte requirement)

Features:
 Streaming encryption (no memory bloat)
 Authenticated encryption (tamper detection)
 Secure key derivation (PBKDF2 + salt)
 Chunk-based encryption (64KB buffers)
 Nonce counter mode (prevents replay)
 File and stream APIs
 Clear error messages

internal/crypto/aes_test.go:
- Stream encryption/decryption tests
- File encryption/decryption tests
- Wrong key detection tests
- Key derivation tests
- Key validation tests
- Large data (1MB) tests

Test Results:
 TestAESEncryptionDecryption: PASS
 TestKeyDerivation: PASS (1.37s PBKDF2)
 TestKeyValidation: PASS
 TestLargeData: PASS (1MB streaming)

Security Properties:
- AES-256 (256-bit keys)
- GCM mode (authenticated encryption)
- PBKDF2 (600,000 iterations, OWASP compliant)
- Random nonces (cryptographically secure)
- 32-byte salt for key derivation

Status: CORE ENCRYPTION READY 
Next: CLI integration (--encrypt flags)
2025-11-26 07:44:09 +00:00

87 lines
2.6 KiB
Go
Raw Blame History

package crypto
import (
"io"
)
// EncryptionAlgorithm represents the encryption algorithm used
type EncryptionAlgorithm string
const (
AlgorithmAES256GCM EncryptionAlgorithm = "aes-256-gcm"
)
// EncryptionConfig holds encryption configuration
type EncryptionConfig struct {
// Enabled indicates whether encryption is enabled
Enabled bool
// KeyFile is the path to a file containing the encryption key
KeyFile string
// KeyEnvVar is the name of an environment variable containing the key
KeyEnvVar string
// Algorithm specifies the encryption algorithm to use
Algorithm EncryptionAlgorithm
// Key is the actual encryption key (derived from KeyFile or KeyEnvVar)
Key []byte
}
// Encryptor provides encryption and decryption capabilities
type Encryptor interface {
// Encrypt encrypts data from reader and returns an encrypted reader
// The returned reader streams encrypted data without loading everything into memory
Encrypt(reader io.Reader, key []byte) (io.Reader, error)
// Decrypt decrypts data from reader and returns a decrypted reader
// The returned reader streams decrypted data without loading everything into memory
Decrypt(reader io.Reader, key []byte) (io.Reader, error)
// EncryptFile encrypts a file in-place or to a new file
EncryptFile(inputPath, outputPath string, key []byte) error
// DecryptFile decrypts a file in-place or to a new file
DecryptFile(inputPath, outputPath string, key []byte) error
// Algorithm returns the encryption algorithm used by this encryptor
Algorithm() EncryptionAlgorithm
}
// KeyDeriver derives encryption keys from passwords/passphrases
type KeyDeriver interface {
// DeriveKey derives a key from a password using PBKDF2 or similar
DeriveKey(password []byte, salt []byte, keyLength int) ([]byte, error)
// GenerateSalt generates a random salt for key derivation
GenerateSalt() ([]byte, error)
}
// EncryptionMetadata contains metadata about encrypted backups
type EncryptionMetadata struct {
// Algorithm used for encryption
Algorithm string `json:"algorithm"`
// KeyDerivation method used (e.g., "pbkdf2-sha256")
KeyDerivation string `json:"key_derivation,omitempty"`
// Salt used for key derivation (base64 encoded)
Salt string `json:"salt,omitempty"`
// Nonce/IV used for encryption (base64 encoded)
Nonce string `json:"nonce,omitempty"`
// Version of encryption format
Version int `json:"version"`
}
// DefaultConfig returns a default encryption configuration
func DefaultConfig() *EncryptionConfig {
return &EncryptionConfig{
Enabled: false,
Algorithm: AlgorithmAES256GCM,
KeyEnvVar: "DBBACKUP_ENCRYPTION_KEY",
}
}
Reference in New Issue View Git Blame Copy Permalink