Encryption Technical Details

The implementation uses 128bit AES-CBC, with RSA encrypted symmetric session keys. The RSA key is user supplied. If you are running OpenSSL 0.9.8 or later, the signed file hash uses SHA-256 – otherwise, SHA-1 is used.

End-user configuration settings for the algorithms are not currently exposed – only the algorithms listed above are used. However, the data written to Volume supports arbitrary symmetric, asymmetric, and digest algorithms for future extensibility, and the back-end implementation currently supports:

  • Symmetric Encryption:

    • 128, 192, and 256-bit AES-CBC

    • Blowfish-CBC

  • Asymmetric Encryption (used to encrypt symmetric session keys):

    • RSA

  • Digest Algorithms:

    • MD5

    • SHA-1

    • SHA-256

    • SHA-512

The various algorithms are exposed via an entirely re-usable, OpenSSL-agnostic API (ie, it is possible to drop in a new encryption backend). The Volume format is DER-encoded ASN.1, modeled after the Cryptographic Message Syntax from RFC 3852. Unfortunately, using CMS directly was not possible, as at the time of coding a free software streaming DER decoder/encoder was not available.

Go back to the File Daemon Data Encryption chapter.

Go back to the main Data Encryption chapter.

Go back to the main Advanced Features Usage page.