1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
/*
* metadata.proto - File which contains all of the metadata structures which we
* write to metadata files. Must be compiled with protoc to use the library.
* Compilation can be invoked with go generate.
*
* Copyright 2017 Google Inc.
* Author: Joe Richey (joerichey@google.com)
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy of
* the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations under
* the License.
*/
// If the *.proto file is modified, be sure to run "make gen" (at the project
// root) to recreate the *.pb.go file.
syntax = "proto3";
package metadata;
option go_package = "github.com/google/fscrypt/metadata";
// Cost parameters to be used in our hashing functions.
message HashingCosts {
int64 time = 2;
int64 memory = 3;
int64 parallelism = 4;
// If true, parallelism should no longer be truncated to 8 bits.
bool truncation_fixed = 5;
}
// This structure is used for our authenticated wrapping/unwrapping of keys.
message WrappedKeyData {
bytes IV = 1;
bytes encrypted_key = 2;
bytes hmac = 3;
}
// Specifies the method in which an outside secret is obtained for a Protector
enum SourceType {
default = 0;
pam_passphrase = 1;
custom_passphrase = 2;
raw_key = 3;
}
// The associated data for each protector
message ProtectorData {
string protector_descriptor = 1;
SourceType source = 2;
// These are only used by some of the protector types
string name = 3;
HashingCosts costs = 4;
bytes salt = 5;
int64 uid = 6;
WrappedKeyData wrapped_key = 7;
}
// Encryption policy specifics, corresponds to the fscrypt_policy struct
message EncryptionOptions {
int64 padding = 1;
// Type of encryption; should match declarations of unix.FSCRYPT_MODE
enum Mode {
default = 0;
AES_256_XTS = 1;
AES_256_GCM = 2;
AES_256_CBC = 3;
AES_256_CTS = 4;
AES_128_CBC = 5;
AES_128_CTS = 6;
Adiantum = 9;
AES_256_HCTR2 = 10;
}
Mode contents = 2;
Mode filenames = 3;
int64 policy_version = 4;
}
message WrappedPolicyKey {
string protector_descriptor = 1;
WrappedKeyData wrapped_key = 2;
}
// The associated data for each policy
message PolicyData {
string key_descriptor = 1;
EncryptionOptions options = 2;
repeated WrappedPolicyKey wrapped_policy_keys = 3;
}
// Data stored in the config file
message Config {
SourceType source = 1;
HashingCosts hash_costs = 2;
EncryptionOptions options = 4;
bool use_fs_keyring_for_v1_policies = 5;
bool allow_cross_user_metadata = 6;
// reserve the removed field 'string compatibility = 3;'
reserved 3;
reserved "compatibility";
}
|
