Skip to content

Encrypt secret with recovery code

Anike requested to merge (removed):save-recovery-code into master

As part of the account recovery feature, we are adding the functionality to encrypt the secret with the recovery code.

What changed:

  • Id of file now only uses the uuid, no longer the passphrase. This means we look first for the doc_id with uuid. If we don't find it, we look for it with passphrase. Then, we re-save it with uuid, deleting the doc with passphrase.
  • We added an entry to the secrets json with the following structure:
{
  "length": <LENGTH>,
  "version": 2,
  "kdf": "scrypt",
  "secrets": <SECRETS_ENCRYPTED_WITH_PASSPHRASE>,
  "kdf_length": <KDF_LENGTH_FOR_PASSPHRASE>,
  "kdf_salt": <KDF_SALT_FOR_PASSPHRASE>,
  "iv": <IV_FOR_PASSPHRASE>,
  "cipher": 2, 
  "recovery": {
    "secrets": <SECRETS_ENCRYPTED_WITH_PASSPHRASE>,
    "kdf_length": <KDF_LENGTH_FOR_RECOVERY_CODE>,
    "kdf_salt": <KDF_SALT_FOR_RECOVERY_CODE>,
    "iv": <IV_FOR_RECOVERY_CODE>
  }
}
  • We ensure the recovery secret is not lost when resaving
  • We ensure we load the remote doc before storing new secrets, in case the local is outdated

with @thaissiqueira

Merge request reports