secure

package module

v0.0.0-...-63d9982 Latest Latest Go to latest Published: Nov 18, 2016 License: GPL-3.0 Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/chrisroseatcat/secure

Links

Open Source Insights

README ¶

secure

Package secure exports secure encryption and decryption functions and provides example commands.

secure is designed to allow text passwords to be used as secure encryption keys. This does not mitigate the need to select hard to guess passwords that are sufficiently long and that utilize a sufficiently diverse character set. The text password is processed by PBKDF2 to create a 32 byte pseudorandom masterkey. A variable number of interations (minimum 250,000 iterations) slows down any brute force attack on the text password. HKDF is then used to expand the master key into two cryptographically independent keys, one for encryption/decryption and one for MAC authentication.

Encryption/decryption is done using AES in CBC mode with a 256 bit key. MAC authentication is performed by HMAC using SHA256.

Structure

The secure package exports the following functions:

Encrypt - secure encryption
Decrypt - secure decryption
IsAuthError - returns true if error returned by Decrypt is an authentication error

A go test source file is included to verify the correct operation of these functions.

The secure package includes the following commands utilizing Encrypt and Decrypt:

wrap - encryption
unwrap - decryption

These are examples of the use of the functions exported by secure. They are also safe commands for the secure encryption and decryption of single files. The command switch -h provides a listing of the parameters of each command.

This is a pipeline example verifying the basic functionality of these commands:

ls -al | ./wrap -pw foo -stdin | ./unwrap -pw foo -stdin

To encrypt a file with double checked non-echoed password entry:

wrap input inputEncrypted

To decrypt the encrypted file with non-echoed password entry:

unwrap inputEncrypted inputOriginal

Please note that non-echoed passwords work under the Windows cmd shell and Linux bash. Alternate environments such as cygwin may fail to hide the password.

Using the -blk parameter causes the wrap output file name to be the input file name with a ".blk" added while -blk removes the ".blk" during unwrap:

wrap -blk input.txt yields input.txt.blk

unwrap -blk input.txt.blk yields input.txt

Neither command will overwrite an existing file unless -o is specified.

Requirements

secure is a golang project. Access golang at golang.org.

secure uses the following go packages from sub-repositories not included in the base go development environment. They can be accessed with go get:

"golang.org/x/crypto/pbkdf2"
"golang.org/x/crypto/hkdf"
"github.com/howeyc/gopass" - only needed by the wrap and unwrap commands

secure has only been tested on linux and Windows.

To Do

Test secure on OS X. secure functions on Windows and linux.
Host binary versions for all environments. Currently only Win64 binaries are hosted.

Documentation ¶

Overview ¶

Package secure exports secure encryption and decryption functions. It uses AES cyphers and HMAC from go libraries, and defines and uses PKCS#7 padding. Secure keys are created from a password with PBKDF2 and HKDF from the go crypto sub-repository. Some logic is based on go code examples from golang.org

Cryptography is difficult to implement correctly. My main body of knowledge came from the coursera.org class Cryptography I taught at Stanford by Dan Boneh. This course emphasizes correctly applying cryptographic principals. As of 2014 it is still being taught periodically and I highly recommend it. Any errors or misunderstandings, of course, are solely my responsibility.

Index ¶

func Decrypt(macedInput []byte, password []byte) (plaintext []byte, err error)
func Encrypt(input []byte, password []byte) (output []byte, err error)
func IsAuthError(err error) bool

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func Decrypt ¶

func Decrypt(macedInput []byte, password []byte) (plaintext []byte, err error)

Decrypt checks MAC and then decrypts authenticated ciphertext

func Encrypt ¶

func Encrypt(input []byte, password []byte) (output []byte, err error)

Encrypt performs authenticated encryption using master key derivation, key expansion and Encrypt-then-MAC.

func IsAuthError ¶

func IsAuthError(err error) bool

IsAuthError checks whether parameter is an Authentication Error.

Types ¶

This section is empty.

Source Files ¶

View all Source files

secure.go

Directories ¶

Path	Synopsis
unwrap The unwrap command decrypts data that has been encrypted with wrap secure encryption.	The unwrap command decrypts data that has been encrypted with wrap secure encryption.
wrap The wrap command performs secure encryption with password using the secure package.	The wrap command performs secure encryption with password using the secure package.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL