2024-06-21 13:01:55 +01:00
|
|
|
# Go `adiantum` SQLite VFS
|
2024-04-18 01:39:47 +01:00
|
|
|
|
|
|
|
|
This package wraps an SQLite VFS to offer encryption at rest.
|
|
|
|
|
|
|
|
|
|
The `"adiantum"` VFS wraps the default SQLite VFS using the
|
|
|
|
|
[Adiantum](https://github.com/lukechampine/adiantum)
|
2024-04-23 01:37:21 +01:00
|
|
|
tweakable and length-preserving encryption.\
|
2024-04-18 01:39:47 +01:00
|
|
|
In general, any HBSH construction can be used to wrap any VFS.
|
|
|
|
|
|
|
|
|
|
The default Adiantum construction uses XChaCha12 for its stream cipher,
|
2024-04-23 01:37:21 +01:00
|
|
|
AES for its block cipher, and NH and Poly1305 for hashing.\
|
|
|
|
|
Additionally, we use [Argon2id](https://pkg.go.dev/golang.org/x/crypto/argon2#hdr-Argon2id)
|
2024-05-01 12:20:33 +01:00
|
|
|
to derive 256-bit keys from plain text where needed.
|
2024-10-17 23:53:39 +01:00
|
|
|
File contents are encrypted in 4 KiB blocks, matching the
|
2024-05-01 12:20:33 +01:00
|
|
|
[default](https://sqlite.org/pgszchng2016.html) SQLite page size.
|
2024-04-18 02:13:59 +01:00
|
|
|
|
2024-04-21 01:56:38 +01:00
|
|
|
The VFS encrypts all files _except_
|
|
|
|
|
[super journals](https://sqlite.org/tempfiles.html#super_journal_files):
|
2024-05-01 12:20:33 +01:00
|
|
|
these _never_ contain database data, only filenames,
|
2024-04-21 01:56:38 +01:00
|
|
|
and padding them to the block size is problematic.
|
|
|
|
|
Temporary files _are_ encrypted with **random** keys,
|
|
|
|
|
as they _may_ contain database data.
|
|
|
|
|
To avoid the overhead of encrypting temporary files,
|
|
|
|
|
keep them in memory:
|
|
|
|
|
|
|
|
|
|
PRAGMA temp_store = memory;
|
2024-04-18 01:39:47 +01:00
|
|
|
|
|
|
|
|
> [!IMPORTANT]
|
2024-05-01 12:20:33 +01:00
|
|
|
> Adiantum is a cipher composition for disk encryption.
|
2024-04-18 01:39:47 +01:00
|
|
|
> The standard threat model for disk encryption considers an adversary
|
|
|
|
|
> that can read multiple snapshots of a disk.
|
2024-05-01 12:20:33 +01:00
|
|
|
> The only security property that disk encryption provides
|
|
|
|
|
> is that all information such an adversary can obtain
|
|
|
|
|
> is whether the data in a sector has or has not changed over time.
|
|
|
|
|
|
|
|
|
|
The encryption offered by this package is fully deterministic.
|
|
|
|
|
|
|
|
|
|
This means that an adversary who can get ahold of multiple snapshots
|
|
|
|
|
(e.g. backups) of a database file can learn precisely:
|
|
|
|
|
which blocks changed, which ones didn't, which got reverted.
|
|
|
|
|
|
2024-10-18 11:59:36 +01:00
|
|
|
This is weaker than other forms of SQLite encryption
|
|
|
|
|
that include *some* nondeterminism.
|
|
|
|
|
With limited nondeterminism, an adversary can't distinguish between
|
|
|
|
|
pages that actually changed, and pages that got reverted;
|
|
|
|
|
a `VACUUM` can fully rebuild the database file,
|
|
|
|
|
preventing this differential analysis.
|
2024-04-23 01:37:21 +01:00
|
|
|
|
|
|
|
|
> [!CAUTION]
|
2024-05-01 12:20:33 +01:00
|
|
|
> This package does not claim protect databases against tampering or forgery.
|
|
|
|
|
|
|
|
|
|
The major practical consequence of the above point is that,
|
|
|
|
|
if you're keeping `"adiantum"` encrypted backups of your database,
|
|
|
|
|
and want to protect against forgery, you should sign your backups,
|
|
|
|
|
and verify signatures before restoring them.
|
|
|
|
|
|
2024-10-18 11:59:36 +01:00
|
|
|
This is weaker than other forms of SQLite encryption
|
2024-10-17 23:53:39 +01:00
|
|
|
that include page-level [MACs](https://en.wikipedia.org/wiki/Message_authentication_code).
|
|
|
|
|
Page-level MACs can protect against forging individual pages,
|
2024-05-01 12:20:33 +01:00
|
|
|
but can't prevent them from being reverted to former versions of themselves.
|
2024-10-17 23:53:39 +01:00
|
|
|
|
|
|
|
|
> [!TIP]
|
2024-10-18 11:59:36 +01:00
|
|
|
> The [`"xts"`](../xts/README.md) VFS also offers encryption at rest.
|
|
|
|
|
> AES-XTS uses _only_ NIST and FIPS 140 approved cryptographic primitives.
|
