Encrypt secret with recovery code (!80) · Merge requests · leap / soledad

The source project of this merge request has been removed.

Anike requested to merge (removed):save-recovery-code into master Apr 10, 2017

As part of the account recovery feature, we are adding the functionality to encrypt the secret with the recovery code.

What changed:

Id of file now only uses the uuid, no longer the passphrase. This means we look first for the doc_id with uuid. If we don't find it, we look for it with passphrase. Then, we re-save it with uuid, deleting the doc with passphrase.
We added an entry to the secrets json with the following structure:

{
  "length": <LENGTH>,
  "version": 2,
  "kdf": "scrypt",
  "secrets": <SECRETS_ENCRYPTED_WITH_PASSPHRASE>,
  "kdf_length": <KDF_LENGTH_FOR_PASSPHRASE>,
  "kdf_salt": <KDF_SALT_FOR_PASSPHRASE>,
  "iv": <IV_FOR_PASSPHRASE>,
  "cipher": 2, 
  "recovery": {
    "secrets": <SECRETS_ENCRYPTED_WITH_PASSPHRASE>,
    "kdf_length": <KDF_LENGTH_FOR_RECOVERY_CODE>,
    "kdf_salt": <KDF_SALT_FOR_RECOVERY_CODE>,
    "iv": <IV_FOR_RECOVERY_CODE>
  }
}

We ensure the recovery secret is not lost when resaving
We ensure we load the remote doc before storing new secrets, in case the local is outdated

with @thaissiqueira

Encrypt secret with recovery code

Merge request reports