You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This uses a password that is either loaded from file in the case of a kubernetes or docker deployment or can be setup using the cli which saves the passphrase to a file.
Previously we were loading a password and doing key derivation with a random salt during every encryption. This is not really scalable for what we are trying to do as it makes every encryption take 300ms. So the TrBFV PR temporarily used a hardcoded salt.
Also we want to store the password using Kernel Keyring so the password and derivations are not available to user space memory and we can set automatic expiration.
We need to redesign this to act more like a cache.
We should keep a hashtable memory structure in the keyring as well as the password loaded from disk and access previously used derived passwords based on the salt they were encrypted with.
This means we can make it so that the salt is randomized based on every process run and encryption and decryption is quick as keys need only be derived once and we can support cases when the salt changes. Say when accessing old disk written ciphertexts as if the derived key is not found it is derived from scratch.
graph TD
subgraph KernalSpace
k1["HashMap < salt, derived >"]
k2["password from disk"]
end
subgraph UserSpace
c[Cipher]
end
c -.-> k1
c -.-> k2
Currently the cipher is used to:
This uses a password that is either loaded from file in the case of a kubernetes or docker deployment or can be setup using the cli which saves the passphrase to a file.
Previously we were loading a password and doing key derivation with a random salt during every encryption. This is not really scalable for what we are trying to do as it makes every encryption take 300ms. So the TrBFV PR temporarily used a hardcoded salt.
Also we want to store the password using Kernel Keyring so the password and derivations are not available to user space memory and we can set automatic expiration.
We need to redesign this to act more like a cache.
We should keep a hashtable memory structure in the keyring as well as the password loaded from disk and access previously used derived passwords based on the salt they were encrypted with.
This means we can make it so that the salt is randomized based on every process run and encryption and decryption is quick as keys need only be derived once and we can support cases when the salt changes. Say when accessing old disk written ciphertexts as if the derived key is not found it is derived from scratch.
graph TD subgraph KernalSpace k1["HashMap < salt, derived >"] k2["password from disk"] end subgraph UserSpace c[Cipher] end c -.-> k1 c -.-> k2This includes #653