Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Encryption of opening key on CLI/API usage #5

Open
marcoonroad opened this issue Dec 22, 2020 · 0 comments
Open

Encryption of opening key on CLI/API usage #5

marcoonroad opened this issue Dec 22, 2020 · 0 comments
Assignees
Labels
enhancement New feature or request
Milestone

Comments

@marcoonroad
Copy link
Owner

The CLI executable would write & read the plain opening key on disk. This is an undesirable security issue. Therefore, I should reuse the internals regarding KDF and AEAD to store this opening key encrypted. We can use an $NOCOINER_PASSWORD environment variable as the end-user input password for our KDF-then-Encrypt-then-MAC for the random opening key. We can too validate this end-user password against minimal security requirements for strong passwords even with a KDF applied (the number of cycles of KDF vs. the strength/entropy of end-user password is a tradeoff to match).

It's desirable as well to expose this encryption/decryption of opening under an API interface for development & integration from developers/maintainers. This should be optional due possible internal requirements from corporations regarding encryption/storage of keys (in the case, the opening key). The interface could be something like:

module OpeningEncryption : sig
  type opening = string
  val encrypt : password:string -> opening -> string
  val decrypt : password:string -> string -> opening  
end

Issue open for more discussions.

@marcoonroad marcoonroad changed the title Encryption of opening key on CLI usage Encryption of opening key on CLI/API usage Dec 22, 2020
@marcoonroad marcoonroad self-assigned this Dec 22, 2020
@marcoonroad marcoonroad added the enhancement New feature or request label Dec 22, 2020
@marcoonroad marcoonroad added this to the 2.0.0 release milestone Dec 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant