borg/docs/internals.rst

.. include:: global.rst.inc
.. _internals:

Internals
=========


Key files
---------

When initialized with the ``init -e keyfile`` command, |project_name|
needs an associated file in ``$HOME/.attic/keys`` to read and write
the repository. As with most crypto code in |project_name|, the format
of those files is defined in `attic/key.py`_.  The format is based on
msgpack_, base64 encoding and PBKDF2_ SHA256 encryption, which is
then encoded again in a msgpack_.

The internal data structure is as follows:

version
  currently always an integer, 1

repository_id
  the ``id`` field in the ``config`` ``INI`` file of the repository.

enc_key
  the key used to encrypt data with AES (256 bits)
  
enc_hmac_key
  the key used to HMAC the resulting AES-encrypted data (256 bits)

id_key
  the key used to HMAC the above chunks, the resulting hash is
  stored out of band (256 bits)

chunk_seed
  the seed for the buzhash chunking table (signed 32 bit integer)

Those fields are encoded using msgpack_. The utf-8-encoded phassphrase
is encrypted with a PBKDF2_ and SHA256_ using 100000 iterations and a
random 256 bits salt to give us a derived key. The derived key is 256
bits long.  A HMAC_ SHA256_ checksum of the above fields is generated
with the derived key, then the derived key is also used to encrypt the
above pack of fields. Then the result is stored in a another msgpack_
formatted as follows:

version
  currently always an integer, 1

salt
  random 256 bits salt used to encrypt the passphrase

iterations
  number of iterations used to encrypt the passphrase (currently 100000)

algorithm
  the hashing algorithm used to encrypt the passphrase and do the HMAC
  checksum (currently the string ``sha256``)

hash
  the HMAC checksum of the encrypted derived key

data
  the derived key, encrypted with AES over a PBKDF2_ SHA256 hash
  described above

The resulting msgpack_ is then encoded using base64 and written to the
key file, wrapped using the textwrap_ module with a header. The header
is a single line with the string ``ATTIC_KEY``, a space and a
hexadecimal representation of the repository id.
document key files in a new Internals page this is still incomplete as it only describes key files, but doesn't clearly say how chunks are encrypted or decrypted. this address parts of #29 but eventually that document should also cover #27, #28 and maybe #45 2014-12-16 14:10:21 +00:00			`.. include:: global.rst.inc`
			`.. _internals:`

			`Internals`
			`=========`


			`Key files`
			`---------`

			When initialized with the ``init -e keyfile`` command, \|project_name\|
			needs an associated file in ``$HOME/.attic/keys`` to read and write
			`the repository. As with most crypto code in \|project_name\|, the format`
			of those files is defined in `attic/key.py`_. The format is based on
			`msgpack_, base64 encoding and PBKDF2_ SHA256 encryption, which is`
			`then encoded again in a msgpack_.`

			`The internal data structure is as follows:`

			`version`
			`currently always an integer, 1`

			`repository_id`
			the ``id`` field in the ``config`` ``INI`` file of the repository.

			`enc_key`
clarify some bits I missed 2014-12-16 15:03:20 +00:00			`the key used to encrypt data with AES (256 bits)`
document key files in a new Internals page this is still incomplete as it only describes key files, but doesn't clearly say how chunks are encrypted or decrypted. this address parts of #29 but eventually that document should also cover #27, #28 and maybe #45 2014-12-16 14:10:21 +00:00
			`enc_hmac_key`
clarify some bits I missed 2014-12-16 15:03:20 +00:00			`the key used to HMAC the resulting AES-encrypted data (256 bits)`
document key files in a new Internals page this is still incomplete as it only describes key files, but doesn't clearly say how chunks are encrypted or decrypted. this address parts of #29 but eventually that document should also cover #27, #28 and maybe #45 2014-12-16 14:10:21 +00:00
			`id_key`
clarify some bits I missed 2014-12-16 15:03:20 +00:00			`the key used to HMAC the above chunks, the resulting hash is`
			`stored out of band (256 bits)`
document key files in a new Internals page this is still incomplete as it only describes key files, but doesn't clearly say how chunks are encrypted or decrypted. this address parts of #29 but eventually that document should also cover #27, #28 and maybe #45 2014-12-16 14:10:21 +00:00
			`chunk_seed`
clarify some bits I missed 2014-12-16 15:03:20 +00:00			`the seed for the buzhash chunking table (signed 32 bit integer)`
document key files in a new Internals page this is still incomplete as it only describes key files, but doesn't clearly say how chunks are encrypted or decrypted. this address parts of #29 but eventually that document should also cover #27, #28 and maybe #45 2014-12-16 14:10:21 +00:00
			`Those fields are encoded using msgpack_. The utf-8-encoded phassphrase`
			`is encrypted with a PBKDF2_ and SHA256_ using 100000 iterations and a`
clarify some bits I missed 2014-12-16 15:03:20 +00:00			`random 256 bits salt to give us a derived key. The derived key is 256`
			`bits long. A HMAC_ SHA256_ checksum of the above fields is generated`
document key files in a new Internals page this is still incomplete as it only describes key files, but doesn't clearly say how chunks are encrypted or decrypted. this address parts of #29 but eventually that document should also cover #27, #28 and maybe #45 2014-12-16 14:10:21 +00:00			`with the derived key, then the derived key is also used to encrypt the`
			`above pack of fields. Then the result is stored in a another msgpack_`
			`formatted as follows:`

			`version`
			`currently always an integer, 1`

			`salt`
clarify some bits I missed 2014-12-16 15:03:20 +00:00			`random 256 bits salt used to encrypt the passphrase`
document key files in a new Internals page this is still incomplete as it only describes key files, but doesn't clearly say how chunks are encrypted or decrypted. this address parts of #29 but eventually that document should also cover #27, #28 and maybe #45 2014-12-16 14:10:21 +00:00
			`iterations`
clarify some bits I missed 2014-12-16 15:03:20 +00:00			`number of iterations used to encrypt the passphrase (currently 100000)`
document key files in a new Internals page this is still incomplete as it only describes key files, but doesn't clearly say how chunks are encrypted or decrypted. this address parts of #29 but eventually that document should also cover #27, #28 and maybe #45 2014-12-16 14:10:21 +00:00
			`algorithm`
			`the hashing algorithm used to encrypt the passphrase and do the HMAC`
clarify some bits I missed 2014-12-16 15:03:20 +00:00			checksum (currently the string ``sha256``)
document key files in a new Internals page this is still incomplete as it only describes key files, but doesn't clearly say how chunks are encrypted or decrypted. this address parts of #29 but eventually that document should also cover #27, #28 and maybe #45 2014-12-16 14:10:21 +00:00
			`hash`
clarify some bits I missed 2014-12-16 15:03:20 +00:00			`the HMAC checksum of the encrypted derived key`
document key files in a new Internals page this is still incomplete as it only describes key files, but doesn't clearly say how chunks are encrypted or decrypted. this address parts of #29 but eventually that document should also cover #27, #28 and maybe #45 2014-12-16 14:10:21 +00:00
			`data`
clarify some bits I missed 2014-12-16 15:03:20 +00:00			`the derived key, encrypted with AES over a PBKDF2_ SHA256 hash`
document key files in a new Internals page this is still incomplete as it only describes key files, but doesn't clearly say how chunks are encrypted or decrypted. this address parts of #29 but eventually that document should also cover #27, #28 and maybe #45 2014-12-16 14:10:21 +00:00			`described above`

			`The resulting msgpack_ is then encoded using base64 and written to the`
			`key file, wrapped using the textwrap_ module with a header. The header`
			is a single line with the string ``ATTIC_KEY``, a space and a
			`hexadecimal representation of the repository id.`