Skip to content

Implement EncryptedBackend for redb #589

New issue
New issue
Open
Open
Implement EncryptedBackend for redb#589
Labels
cspp:phase:2CSPP Phase 2: Master Key Infrastructure & Local Encryption
Milestone
Passkey Cloud Backup
@praveenperera

Description

@praveenperera
praveenperera
opened on Feb 9, 2026

XChaCha20-Poly1305 block-level AEAD implementation of redb's StorageBackend trait.

  • Implement EncryptedBackend struct wrapping a File, XChaCha20Poly1305 cipher, and logical length
  • 64-byte file header: magic (COVE), version, salt, logical length, reserved
  • Each 4096-byte logical block stored as 4136 bytes on disk: 24-byte random nonce + 4096-byte ciphertext + 16-byte Poly1305 tag
  • Block index included as AAD to prevent block swap attacks
  • Implement all StorageBackend trait methods: len(), read(), write(), set_len(), sync_data()
  • Partial writes trigger read-decrypt-modify-encrypt-write cycle
  • Sparse block handling: all-zero disk blocks return plaintext zeros on read
  • Public API: create(path, key, salt), open(path, key), read_salt(path), is_encrypted(path)

Files: rust/src/database/encrypted_backend.rs (new), rust/src/database.rs (add pub mod)

Metadata

Metadata

Assignees

No one assigned

    Labels

    cspp:phase:2CSPP Phase 2: Master Key Infrastructure & Local Encryption

    Type

    No type

    Projects

    Cove

    Status

    Todo

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions