README
¶
keyshare
The keyshare library and its associated sharegen tool provide a way to encrypt a file; it produces multiple shares of the key used to encrypt the file, and it requires a threshold number of shares to perform decryption. Keyshare supports two different schemes: XOR-based (n, n) secret sharing, and Shamir (t, n) threshold secret sharing.
The sharegen tool can be used to encrypt a plaintext file p to a ciphertext
file c and a set of share files s0, s1, s2, and s3 as follows.
sharegen -encrypt -plaintext=p -ciphertext=c -share=s -count=4
If the threshold is 0, then sharegen uses XOR secret sharing, and all shares are
required for reassembly and decryption. Otherwise, there must be at least the
threshold number of share files available. The default value of -threshold is
0, so the default sharing scheme is XOR.
The decryption parameters are almost the same. For example, to produce a file
p2 from the ciphertext c and the shares s0, s1, s2, and s3:
sharegen -decrypt -plaintext=p2 -ciphertext=c -share=s -count=4
To produce QR-code PNG files for the ciphertext and the shares instead of
base64-encoded files, use the parameter -qr. Note that you must use an
external QR decoding tool to extract the base64-encoded ciphertext and shares to
decrypt the data. The main advantages of the QR code is that it adds
Reed-Solomon error-correcting codes and it is easier to extract than digital
data from printed files.
See sharegen -help for more details.
Documentation
¶
Overview ¶
Package keyshare provides functions that encrypt and decrypt data and split keys.
Index ¶
- Constants
- func DecryptFile(plaintextFile, ciphertextFile, shareFilePrefix string, shareCount int, ...) error
- func EncodeToBase64(ciphertextFile, shareFilePrefix string, ciphertext []byte, shares [][]byte) error
- func EncodeToQR(ciphertextFile, shareFilePrefix string, ciphertext []byte, shares [][]byte) error
- func EncryptAndShare(sharer ByteSharer, plaintext []byte) ([]byte, [][]byte, error)
- func EncryptFile(plaintextFile string, sharer ByteSharer) ([]byte, [][]byte, error)
- func ReassembleAndDecrypt(sharer ByteSharer, authenticatedCiphertext []byte, shares [][]byte) ([]byte, error)
- type AuthCiphertext
- type ByteSharer
- type Ciphertext
Constants ¶
const ( XOR byte = iota Threshold )
These constants represent the supported types of secret sharing.
Variables ¶
This section is empty.
Functions ¶
func DecryptFile ¶
func DecryptFile(plaintextFile, ciphertextFile, shareFilePrefix string, shareCount int, sharer ByteSharer) error
DecryptFile takes in the name of a output file, a file to decrypt, and a share-file prefix. It decrypts the encrypted file into the output file or reports an error. The shares must be named starting with the shareFilePrefix and numbered from 0. For example, if the prefix is "s" and the shareCount is 4, then the files must be s0, s1, s2, and s3.
func EncodeToBase64 ¶
func EncodeToBase64(ciphertextFile, shareFilePrefix string, ciphertext []byte, shares [][]byte) error
EncodeToBase64 creates a base64 representation of the ciphertext and shares and writes them to files. The share files are of the form shareFilePrefix[0-9]+.
func EncodeToQR ¶
EncodeToQR creates a QR-code representation of the ciphertext and shares and writes them to PNG files. The share files are of the form shareFilePrefix[0-9]+.png. The files must be decoded by an external QR decoder before being passed to DecryptFile. Encoding to QR codes is used here to add a Reed-Solomon error-correcting code and to make it easier to get a printed version of the code back into digital form.
func EncryptAndShare ¶
func EncryptAndShare(sharer ByteSharer, plaintext []byte) ([]byte, [][]byte, error)
EncryptAndShare generates a fresh key, uses it to encrypt the plaintext, shares the key, zeroes it, and returns the ciphertext and the key shares to be distributed.
func EncryptFile ¶
func EncryptFile(plaintextFile string, sharer ByteSharer) ([]byte, [][]byte, error)
EncryptFile takes in the name of a file to encrypt, an output file for the ciphertext, a share file prefix for the shares, and the number of shares to create and creates a file encrypted with a fresh key. This key is then shared into shareCount pieces.
func ReassembleAndDecrypt ¶
func ReassembleAndDecrypt(sharer ByteSharer, authenticatedCiphertext []byte, shares [][]byte) ([]byte, error)
ReassembleAndDecrypt reassembles a key from a set of shares and uses this key to authenticate and decrypt a ciphertext.
Types ¶
type AuthCiphertext ¶
type AuthCiphertext struct {
// gob-encoded Ciphertext that is hmac'd in the hmac field.
Ciphertext []byte
Hmac []byte
}
An AuthCiphertext combines a ciphertext with an integrity check in the form of an HMAC computed over the gob-encoded Ciphertext.
type ByteSharer ¶
type ByteSharer interface {
}
A ByteSharer shares and reassembles a byte stream.
func NewThresholdSharer ¶
func NewThresholdSharer(t, n int) (ByteSharer, error)
NewThresholdSharer produces a ByteSharer that performs Shamir's threshold secret-sharing scheme.
func NewXORSharer ¶
func NewXORSharer(n int) (ByteSharer, error)
NewXORSharer creates an (n, n) secret sharer.
type Ciphertext ¶
A Ciphertext is an IV combined with a value encrypted using this ciphertext.
Source Files
Directories