Crate zoe_encrypted_storage

Crate zoe_encrypted_storage 

Source
Expand description

§Convergent Encryption with Brotli Compression

This crate provides convergent encryption for self-encrypting files for untrusted storage. It uses Blake3 for key derivation, AES-256-GCM for encryption, and optional Brotli compression.

§Key Features

  • Convergent Encryption: Same content always produces the same ciphertext
  • Content-Based Key Derivation: Encryption key is derived from file content using Blake3
  • Optional Compression: Brotli compression reduces storage requirements
  • Deterministic: Perfect for deduplication and integrity verification
  • No Key Management: No need to store or manage encryption keys separately

§How It Works

  1. Compression (optional): Content is compressed with Brotli if it reduces size
  2. Key Derivation: File content is hashed with Blake3 to create a 32-byte encryption key
  3. Encryption: AES-256-GCM encrypts the data using the derived key as both key and nonce
  4. Metadata: Compression status, original size, and encryption key are tracked for decryption

§Usage Example

use zoe_encrypted_storage::{ConvergentEncryption, CompressionConfig};

// Basic encryption with default settings
let content = b"Hello, world!";
let (encrypted, info) = ConvergentEncryption::encrypt(content).unwrap();
let decrypted = ConvergentEncryption::decrypt(&encrypted, &info).unwrap();
assert_eq!(content, decrypted.as_slice());

// Custom compression settings
let config = CompressionConfig {
    enabled: true,
    quality: 8,      // Higher compression (0-11)
    min_size: 128,   // Only compress files > 128 bytes
};
let (encrypted, info) = ConvergentEncryption::encrypt_with_compression_config(content, config).unwrap();

§Security Considerations

  • Convergent encryption reveals when identical files are stored
  • The encryption key is derived from content, so knowledge of content allows decryption
  • AES-256-GCM provides authenticated encryption
  • Blake3 provides cryptographically secure hashing

This approach is ideal for:

  • File deduplication systems
  • Content-addressable storage
  • Integrity verification
  • Untrusted storage where you control the content

Structs§

CompressionConfig
Configuration for Brotli compression settings
ConvergentEncryption
Convergent encryption using AES-256-GCM with Blake3 key derivation and Brotli compression
ConvergentEncryptionInfo
Metadata about the encryption operation

Enums§

ConvergentEncryptionError
Error types for convergent encryption operations

Type Aliases§

ConvergentEncryptionKey
Encryption key derived from source content for convergent encryption