aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJakob Unterwurzacher2015-10-06 20:51:35 +0200
committerJakob Unterwurzacher2015-10-06 20:51:35 +0200
commit5c6df490678e7dc1aa7a09425d2fdf14fb13f7be (patch)
treeda8605df2afc139fbdf4d82a9ebbfd61593af01d
parent39ea272e233504a710ce6885434984b2f45fb398 (diff)
Switch to AES-256
AES-256 seems to be becoming the industry standard. While AES-128 is good enough for tens of years to come, let's follow suit and be extra safe.
-rw-r--r--cryptfs/cryptfs.go6
-rw-r--r--cryptfs/openssl_aead.go6
-rw-r--r--gocryptfs_main/main.go16
3 files changed, 18 insertions, 10 deletions
diff --git a/cryptfs/cryptfs.go b/cryptfs/cryptfs.go
index 214ea10..d7d1516 100644
--- a/cryptfs/cryptfs.go
+++ b/cryptfs/cryptfs.go
@@ -10,7 +10,7 @@ import (
const (
DEFAULT_PLAINBS = 4096
- KEY_LEN = 16
+ KEY_LEN = 32 // AES-256
NONCE_LEN = 12
AUTH_TAG_LEN = 16
FILEID_LEN = 16
@@ -38,9 +38,7 @@ func NewCryptFS(key []byte, useOpenssl bool) *CryptFS {
var gcm cipher.AEAD
if useOpenssl {
- var k16 [16]byte
- copy(k16[:], key)
- gcm = opensslGCM{k16}
+ gcm = opensslGCM{key}
} else {
gcm, err = cipher.NewGCM(b)
if err != nil {
diff --git a/cryptfs/openssl_aead.go b/cryptfs/openssl_aead.go
index f73924d..9baa6d5 100644
--- a/cryptfs/openssl_aead.go
+++ b/cryptfs/openssl_aead.go
@@ -8,7 +8,7 @@ import (
)
type opensslGCM struct {
- key [16]byte
+ key []byte
}
func (be opensslGCM) Overhead() int {
@@ -27,7 +27,7 @@ func (be opensslGCM) Seal(dst, nonce, plaintext, data []byte) []byte {
cipherBuf := bytes.NewBuffer(dst)
- ectx, err := openssl.NewGCMEncryptionCipherCtx(128, nil, be.key[:], nonce[:])
+ ectx, err := openssl.NewGCMEncryptionCipherCtx(KEY_LEN*8, nil, be.key, nonce)
if err != nil {
panic(err)
}
@@ -72,7 +72,7 @@ func (be opensslGCM) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
ciphertext = ciphertext[0 : l-AUTH_TAG_LEN]
plainBuf := bytes.NewBuffer(dst)
- dctx, err := openssl.NewGCMDecryptionCipherCtx(128, nil, be.key[:], nonce[:])
+ dctx, err := openssl.NewGCMDecryptionCipherCtx(KEY_LEN*8, nil, be.key, nonce)
if err != nil {
return nil, err
}
diff --git a/gocryptfs_main/main.go b/gocryptfs_main/main.go
index 9ba2648..d6ce064 100644
--- a/gocryptfs_main/main.go
+++ b/gocryptfs_main/main.go
@@ -151,8 +151,18 @@ func main() {
// a safe place
func printMasterKey(key []byte) {
h := hex.EncodeToString(key)
- // Make it less scary by splitting it up in chunks
- h = h[0:8] + "-" + h[8:16] + "-" + h[16:24] + "-" + h[24:32]
+ var hChunked string
+
+ // Try to make it less scary by splitting it up in chunks
+ for i := 0; i < len(h); i+=8 {
+ hChunked += h[i:i+8]
+ if i < 52 {
+ hChunked += "-"
+ }
+ if i == 24 {
+ hChunked += "\n "
+ }
+ }
fmt.Printf(`
ATTENTION:
@@ -163,7 +173,7 @@ If the gocryptfs.conf file becomes corrupted or you ever forget your password,
there is only one hope for recovery: The master key. Print it to a piece of
paper and store it in a drawer.
-`, h)
+`, hChunked)
}
func readPasswordTwice() string {