Page MenuHomePhabricator

Add an AES256 storage format for at-rest encryption

Authored by epriestley on Jun 15 2016, 6:28 PM.
Referenced Files
F13211802: D16124.diff
Fri, May 17, 6:06 AM
Thu, May 16, 8:46 PM
F13196905: D16124.diff
Sun, May 12, 11:40 PM
F13184327: D16124.diff
Fri, May 10, 5:45 PM
Unknown Object (File)
Tue, May 7, 10:34 AM
Unknown Object (File)
Fri, May 3, 7:44 AM
Unknown Object (File)
Thu, Apr 25, 1:42 AM
Unknown Object (File)
Thu, Apr 18, 9:45 PM



Ref T11140. This doesn't do anything yet since there's no way to enable it and no way to store master keys.

Those are slightly tougher problems and I'm not totally satisfied that I have an approach I really like for either problem, so I may wait for a bit before tackling them. Once they're solved, this does the mechanical encrypt/decrypt stuff, though.

This design is substantially similar to the AWS S3 server-side encryption design, and intended as an analog for it. The decisions AWS has made in design generally seem reasonable to me.

Each block of file data is encrypted with a unique key and a unique IV, and then that key and IV are encrypted with the master key (and a distinct, unique IV). This is better than just encrypting with the master key directly because:

  • You can rotate the master key later and only need to re-encrypt a small amount of key data (about 48 bytes per file chunk), instead of re-encrypting all of the actual file data (up to 4MB per file chunk).
  • Instead of putting the master key on every server, you can put it on some dedicated keyserver which accepts encrypted keys, decrypts them, and returns plaintext keys, and can send it 32-byte keys for decryption instead of 4MB blocks of file data.
  • You have to compromise the master key, the database, AND the file store to get the file data. This is probably not much of a barrier realistically, but it does make attacks very slightly harder.

The "KeyRing" thing may change once I figure out how I want users to store master keys, but it was the simplest approach to get the unit tests working.

Test Plan
  • Ran unit tests.
  • Dumped raw data, saw encrypted blob.
  • No way to actually use this in the real application yet so it can't be tested too extensively.

Diff Detail

rP Phabricator
Lint Not Applicable
Tests Not Applicable

Event Timeline

epriestley retitled this revision from to Add an AES256 storage format for at-rest encryption.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: chad.
chad edited edge metadata.
This revision is now accepted and ready to land.Jun 15 2016, 7:05 PM
This revision was automatically updated to reflect the committed changes.