2024-04-18 01:39:47 +01:00
|
|
|
// Package adiantum wraps an SQLite VFS to offer encryption at rest.
|
|
|
|
|
//
|
|
|
|
|
// The "adiantum" [vfs.VFS] wraps the default VFS using the
|
2024-04-27 16:31:32 +01:00
|
|
|
// Adiantum tweakable, length-preserving encryption.
|
2024-04-18 01:39:47 +01:00
|
|
|
//
|
2024-04-27 16:31:32 +01:00
|
|
|
// Importing package adiantum registers that VFS:
|
2024-04-18 01:39:47 +01:00
|
|
|
//
|
|
|
|
|
// import _ "github.com/ncruces/go-sqlite3/vfs/adiantum"
|
|
|
|
|
//
|
|
|
|
|
// To open an encrypted database you need to provide key material.
|
2024-04-27 16:31:32 +01:00
|
|
|
//
|
|
|
|
|
// The simplest way to do that is to specify the key through an [URI] parameter:
|
2024-04-18 01:39:47 +01:00
|
|
|
//
|
|
|
|
|
// - key: key material in binary (32 bytes)
|
|
|
|
|
// - hexkey: key material in hex (64 hex digits)
|
|
|
|
|
// - textkey: key material in text (any length)
|
|
|
|
|
//
|
2024-04-27 16:31:32 +01:00
|
|
|
// However, this makes your key easily accessible to other parts of
|
|
|
|
|
// your application (e.g. through [vfs.Filename.URIParameters]).
|
|
|
|
|
//
|
2024-05-03 12:41:59 +01:00
|
|
|
// To avoid this, invoke any of the following PRAGMAs
|
|
|
|
|
// immediately after opening a connection:
|
2024-04-27 16:31:32 +01:00
|
|
|
//
|
|
|
|
|
// PRAGMA key='D41d8cD98f00b204e9800998eCf8427e';
|
|
|
|
|
// PRAGMA hexkey='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855';
|
|
|
|
|
// PRAGMA textkey='your-secret-key';
|
|
|
|
|
//
|
2024-05-03 12:41:59 +01:00
|
|
|
// For an ATTACH-ed database, you must specify the schema name:
|
|
|
|
|
//
|
|
|
|
|
// ATTACH DATABASE 'demo.db' AS demo;
|
|
|
|
|
// PRAGMA demo.textkey='your-secret-key';
|
|
|
|
|
//
|
2024-04-18 01:39:47 +01:00
|
|
|
// [URI]: https://sqlite.org/uri.html
|
|
|
|
|
package adiantum
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"lukechampine.com/adiantum/hbsh"
|
2024-10-18 12:20:32 +01:00
|
|
|
|
|
|
|
|
"github.com/ncruces/go-sqlite3/vfs"
|
2024-04-18 01:39:47 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func init() {
|
2024-10-25 00:12:29 +01:00
|
|
|
vfs.Register("adiantum", Wrap(vfs.Find(""), nil))
|
2024-04-18 01:39:47 +01:00
|
|
|
}
|
|
|
|
|
|
2024-10-25 00:12:29 +01:00
|
|
|
// Wrap wraps a base VFS to create an encrypting VFS,
|
|
|
|
|
// possibly using a custom HBSH cipher construction.
|
|
|
|
|
//
|
2024-04-18 01:39:47 +01:00
|
|
|
// To use the default Adiantum construction, set cipher to nil.
|
2024-10-17 23:53:39 +01:00
|
|
|
//
|
|
|
|
|
// The default construction uses a 32 byte key/hexkey.
|
|
|
|
|
// If a textkey is provided, the default KDF is Argon2id
|
|
|
|
|
// with 64 MiB of memory, 3 iterations, and 4 threads.
|
2024-10-25 00:12:29 +01:00
|
|
|
func Wrap(base vfs.VFS, cipher HBSHCreator) vfs.VFS {
|
2024-04-18 01:39:47 +01:00
|
|
|
if cipher == nil {
|
|
|
|
|
cipher = adiantumCreator{}
|
|
|
|
|
}
|
2024-10-25 00:12:29 +01:00
|
|
|
return &hbshVFS{
|
2024-04-18 01:39:47 +01:00
|
|
|
VFS: base,
|
2024-10-17 23:53:39 +01:00
|
|
|
init: cipher,
|
2024-10-25 00:12:29 +01:00
|
|
|
}
|
2024-04-18 01:39:47 +01:00
|
|
|
}
|
|
|
|
|
|
2024-04-21 01:56:38 +01:00
|
|
|
// HBSHCreator creates an [hbsh.HBSH] cipher
|
2024-04-18 01:39:47 +01:00
|
|
|
// given key material.
|
|
|
|
|
type HBSHCreator interface {
|
2024-04-21 01:56:38 +01:00
|
|
|
// KDF derives an HBSH key from a secret.
|
|
|
|
|
// If no secret is given, a random key is generated.
|
|
|
|
|
KDF(secret string) (key []byte)
|
2024-04-18 01:39:47 +01:00
|
|
|
|
2024-04-21 01:56:38 +01:00
|
|
|
// HBSH creates an HBSH cipher given a key.
|
|
|
|
|
// If key is not appropriate, nil is returned.
|
2024-04-18 01:39:47 +01:00
|
|
|
HBSH(key []byte) *hbsh.HBSH
|
|
|
|
|
}
|
