go/sqlite3
1
0
Fork 0
mirror of https://github.com/ncruces/go-sqlite3.git synced 2026-01-11 21:49:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

AES-XTS VFS (#171)

Browse Source 
Co-authored-by: Ben Krieger <ben.krieger@intel.com>
This commit is contained in:
Nuno Cruces
2024-10-17 23:53:39 +01:00
committed by GitHub
parent 714ea0e779
commit d6aebe67cc
15 changed files with 660 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
vfs/adiantum/README.md
View File

@@ -11,7 +11,7 @@ The default Adiantum construction uses XChaCha12 for its stream cipher,
AES for its block cipher, and NH and Poly1305 for hashing.\
Additionally, we use [Argon2id](https://pkg.go.dev/golang.org/x/crypto/argon2#hdr-Argon2id)
to derive 256-bit keys from plain text where needed.
File contents are encrypted in 4K blocks, matching the
File contents are encrypted in 4 KiB blocks, matching the
[default](https://sqlite.org/pgszchng2016.html) SQLite page size.
The VFS encrypts all files _except_
@@ -53,6 +53,10 @@ and want to protect against forgery, you should sign your backups,
and verify signatures before restoring them.
This is slightly weaker than other forms of SQLite encryption
that include block-level [MACs](https://en.wikipedia.org/wiki/Message_authentication_code).
Block-level MACs can protect against forging individual blocks,
that include page-level [MACs](https://en.wikipedia.org/wiki/Message_authentication_code).
Page-level MACs can protect against forging individual pages,
but can't prevent them from being reverted to former versions of themselves.
> [!TIP]
> The [`"xts"`](../xts/README.md) package also offers encryption at rest.
> AES-XTS uses _only_ NIST and FIPS-140 approved cryptographic primitives.