Encryption Technical Details
The implementation uses 128bit AES-CBC, with RSA encrypted symmetric session keys. The RSA key is user supplied. If you are running OpenSSL 0.9.8 or later, the signed file hash uses SHA-256 – otherwise, SHA-1 is used.
End-user configuration settings for the algorithms are not currently exposed – only the algorithms listed above are used. However, the data written to Volume supports arbitrary symmetric, asymmetric, and digest algorithms for future extensibility, and the back-end implementation currently supports:
Symmetric Encryption:
128, 192, and 256-bit AES-CBC
Blowfish-CBC
Asymmetric Encryption (used to encrypt symmetric session keys):
RSA
Digest Algorithms:
MD5
SHA-1
SHA-256
SHA-512
The various algorithms are exposed via an entirely re-usable, OpenSSL-agnostic API (ie, it is possible to drop in a new encryption backend). The Volume format is DER-encoded ASN.1, modeled after the Cryptographic Message Syntax from RFC 3852. Unfortunately, using CMS directly was not possible, as at the time of coding a free software streaming DER decoder/encoder was not available.
See also
Go to:
Go back to the File Daemon Data Encryption chapter.
Go back to the main Data Encryption chapter.
Go back to the main Advanced Features Usage page.