265dd0582a
We currently derive the dkey from the source key at every open or close (decrypt or encrypt) operation. However, we want to keep the time that the internal data is exposed (decrypted) as short as possible. While the vault is open, there's no problem keeping a copy of the dkey around (because the data is decrypted anyways, therefore it isn't important). So we change things around and, at the expense of doubling the time that decryption takes, we make encryption extremely fast. We do this by computing the next (rekeyed) key at the start of the decryption routine (but before the data has been decrypted) and keep the dkey stored in the vault structure for direct access on the next encryption run.
54 lines
1.6 KiB
C
54 lines
1.6 KiB
C
/*
|
|
luksrku - Tool to remotely unlock LUKS disks using TLS.
|
|
Copyright (C) 2016-2019 Johannes Bauer
|
|
|
|
This file is part of luksrku.
|
|
|
|
luksrku is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; this program is ONLY licensed under
|
|
version 3 of the License, later versions are explicitly excluded.
|
|
|
|
luksrku is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with luksrku; if not, write to the Free Software
|
|
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
|
|
Johannes Bauer <JohannesBauer@gmx.de>
|
|
*/
|
|
|
|
#ifndef __VAULT_H__
|
|
#define __VAULT_H__
|
|
|
|
#include <stdbool.h>
|
|
#include <stdint.h>
|
|
#include <pthread.h>
|
|
|
|
struct vault_t {
|
|
pthread_mutex_t mutex;
|
|
unsigned int reference_count;
|
|
void *data;
|
|
unsigned int data_length;
|
|
uint8_t *source_key;
|
|
unsigned int source_key_length;
|
|
uint8_t auth_tag[16];
|
|
uint8_t dkey[32];
|
|
uint64_t iv;
|
|
unsigned int iteration_cnt;
|
|
};
|
|
|
|
#define DEFAULT_SOURCE_KEY_LENGTH_BYTES (1024 * 1024)
|
|
|
|
/*************** AUTO GENERATED SECTION FOLLOWS ***************/
|
|
struct vault_t* vault_init(unsigned int data_length, double target_derivation_time);
|
|
bool vault_open(struct vault_t *vault);
|
|
bool vault_close(struct vault_t *vault);
|
|
void vault_free(struct vault_t *vault);
|
|
/*************** AUTO GENERATED SECTION ENDS ***************/
|
|
|
|
#endif
|