-
-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recovery phrase / Alternate password #249
Comments
Hey! I'm interested to work on this issue. I'm looking into it. |
@Hrushi20 great, thank you. You can start with https://github.com/radumarias/rencfs/blob/main/CONTRIBUTING.md |
Hey! Had few queries.
|
|
Related to #249 https://github.com/radumarias/rencfs/issues/249 --- For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/radumarias/rencfs/issues/249?shareId=XXXX-XXXX-XXXX-XXXX).
Played a bit with Copilor Workspaces and generated this PR https://github.com/radumarias/rencfs/pull/260 Of course is far from complete, but see if it helps as an inspiration. |
Hey! I went through the code and have few doubts. On a high level, can you explain master encryption key? Are we encrypting the files with master encryption key? If the files were encrypted using key generated from old password, how would a new password help decrypting the old encrypted files? I know the question is diverting from the issue but I want to understand the internals a bit better. |
When you change or forget the password, you will decrypt the master key (DEK = Data Encryption Key) with a key derived from the old pass or recovery phrase (KEK = Key Encryption Key). You then derive a new KEK and re-encrypt the DEK with that KEK. |
Hey If algorithms generating key less 32bits, do we want to pad the key to make it 32bits to match the 24 words requirement? Sidenote: |
@radumarias, bip39 library needs a 128-256bits input to generate recovery_phrase. |
input as entropy? or for what? |
So I am using the password directly to create the recovery_phrase. Users don't use such huge passwords. Flow, User enter password which is converted to Recovery Phrase When user Tries to use Recovery Phrase to create new Password |
TBD
We need a way to recover the encryption key if the user loses the password. We use a recovery phrase generated when you define the password. In case the user forgets the password, he can use this to change it. Generally, a 24-word mnemonic phrase with a strong passphrase provides 256 bits of entropy, making it extremely resistant to brute-force attacks.
Generate
--out-file
, we will save it thereImpl
Use
--recovery-phrase
, which indicates we read the recovery phrase from the keyboard (like we now read the password). If this is present, we will not read the password at allRegenerate
passwd
sub-command like--refresh-recovery-phrase
asking for both the password and old recovery phraseThe text was updated successfully, but these errors were encountered: