diff options
author | Jakob Unterwurzacher | 2015-10-06 20:51:35 +0200 |
---|---|---|
committer | Jakob Unterwurzacher | 2015-10-06 20:51:35 +0200 |
commit | 5c6df490678e7dc1aa7a09425d2fdf14fb13f7be (patch) | |
tree | da8605df2afc139fbdf4d82a9ebbfd61593af01d | |
parent | 39ea272e233504a710ce6885434984b2f45fb398 (diff) |
Switch to AES-256
AES-256 seems to be becoming the industry standard. While AES-128 is
good enough for tens of years to come, let's follow suit and be extra
safe.
-rw-r--r-- | cryptfs/cryptfs.go | 6 | ||||
-rw-r--r-- | cryptfs/openssl_aead.go | 6 | ||||
-rw-r--r-- | gocryptfs_main/main.go | 16 |
3 files changed, 18 insertions, 10 deletions
diff --git a/cryptfs/cryptfs.go b/cryptfs/cryptfs.go index 214ea10..d7d1516 100644 --- a/cryptfs/cryptfs.go +++ b/cryptfs/cryptfs.go @@ -10,7 +10,7 @@ import ( const ( DEFAULT_PLAINBS = 4096 - KEY_LEN = 16 + KEY_LEN = 32 // AES-256 NONCE_LEN = 12 AUTH_TAG_LEN = 16 FILEID_LEN = 16 @@ -38,9 +38,7 @@ func NewCryptFS(key []byte, useOpenssl bool) *CryptFS { var gcm cipher.AEAD if useOpenssl { - var k16 [16]byte - copy(k16[:], key) - gcm = opensslGCM{k16} + gcm = opensslGCM{key} } else { gcm, err = cipher.NewGCM(b) if err != nil { diff --git a/cryptfs/openssl_aead.go b/cryptfs/openssl_aead.go index f73924d..9baa6d5 100644 --- a/cryptfs/openssl_aead.go +++ b/cryptfs/openssl_aead.go @@ -8,7 +8,7 @@ import ( ) type opensslGCM struct { - key [16]byte + key []byte } func (be opensslGCM) Overhead() int { @@ -27,7 +27,7 @@ func (be opensslGCM) Seal(dst, nonce, plaintext, data []byte) []byte { cipherBuf := bytes.NewBuffer(dst) - ectx, err := openssl.NewGCMEncryptionCipherCtx(128, nil, be.key[:], nonce[:]) + ectx, err := openssl.NewGCMEncryptionCipherCtx(KEY_LEN*8, nil, be.key, nonce) if err != nil { panic(err) } @@ -72,7 +72,7 @@ func (be opensslGCM) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) { ciphertext = ciphertext[0 : l-AUTH_TAG_LEN] plainBuf := bytes.NewBuffer(dst) - dctx, err := openssl.NewGCMDecryptionCipherCtx(128, nil, be.key[:], nonce[:]) + dctx, err := openssl.NewGCMDecryptionCipherCtx(KEY_LEN*8, nil, be.key, nonce) if err != nil { return nil, err } diff --git a/gocryptfs_main/main.go b/gocryptfs_main/main.go index 9ba2648..d6ce064 100644 --- a/gocryptfs_main/main.go +++ b/gocryptfs_main/main.go @@ -151,8 +151,18 @@ func main() { // a safe place func printMasterKey(key []byte) { h := hex.EncodeToString(key) - // Make it less scary by splitting it up in chunks - h = h[0:8] + "-" + h[8:16] + "-" + h[16:24] + "-" + h[24:32] + var hChunked string + + // Try to make it less scary by splitting it up in chunks + for i := 0; i < len(h); i+=8 { + hChunked += h[i:i+8] + if i < 52 { + hChunked += "-" + } + if i == 24 { + hChunked += "\n " + } + } fmt.Printf(` ATTENTION: @@ -163,7 +173,7 @@ If the gocryptfs.conf file becomes corrupted or you ever forget your password, there is only one hope for recovery: The master key. Print it to a piece of paper and store it in a drawer. -`, h) +`, hChunked) } func readPasswordTwice() string { |