0ct0pu5/ente
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ente/migration-guides/encrypted_export.md
Neeraj Gupta 4a0301fe46
Build decrypt binary for all major arch (#401) 
<!--
  Thanks for contributing!

Provide a description of your changes below and a general summary in the
title

Please look at the following checklist to ensure that your PR can be
accepted quickly:
-->

## Description

<!--- Describe your changes in detail -->

## Type of Change

<!--- Put an `x` in all the boxes that apply: -->

- [ ] 🖼️ New icon
- [ ]  New feature (non-breaking change which adds functionality)
- [ ] 🛠️ Bug fix (non-breaking change which fixes an issue)
- [ ]  Breaking change (fix or feature that would cause existing
functionality to change)
- [ ] 🧹 Code refactor
- [ ]  Build configuration change
- [ ] 📝 Documentation
- [ ] 🗑️ Chore
2023-12-19 09:41:29 +05:30

1.9 KiB
Raw Blame History

Auth Encrypted Export format

Overview

When we export the auth codes, the data is encrypted using a key derived from the user's password. This document describes the JSON structure used to organize exported data, including versioning and key derivation parameters.

Export JSON Sample

{
  "version": 1,
  "kdfParams": {
    "memLimit": 4096,
    "opsLimit": 3,
    "salt": "example_salt"
  },
  "encryptedData": "encrypted_data_here",
  "encryptionNonce": "nonce_here"
}

The main object used to represent the export data. It contains the following key-value pairs:

  • version: The version of the export format.
  • kdfParams: Key derivation function parameters.
  • encryptedData": The encrypted authentication data.
  • encryptionNonce: The nonce used for encryption.

Version

Export version is used to identify the format of the export data.

Ver: 1

  • KDF Algorithm: ARGON2ID
  • Decrypted data format: otpauth://totp/..., separated by a new line.
  • Encryption Algo: XChaCha20-Poly1305

Key Derivation Function Params (KDF)

This section contains the parameters that were using during KDF operation:

  • memLimit: Memory limit for the algorithm.
  • opsLimit: Operations limit for the algorithm.
  • salt: The salt used in the derivation process.

Encrypted Data

As mentioned above, the auth data is encrypted using a key that's derived by using user provided password & kdf params. For encryption, we are using XChaCha20-Poly1305 algorithm.

How to use the exported data

  • ente Authenticator app: You can directly import the codes in the ente Authenticator app.

    Settings -> Data -> Import Codes -> ente Encrypted export.

  • Decryption Tool : You can download the prebuilt decryption tool (or build it from source) and run the following command.

  ./decrypt <export_file> <password> <output_file>