duckdb::EncryptionKeyManager Class Reference

Inheritance diagram for duckdb::EncryptionKeyManager:

Collaboration diagram for duckdb::EncryptionKeyManager:

Public Member Functions
void	AddKey (const string &key_name, data_ptr_t key)
bool	HasKey (const string &key_name) const
void	DeleteKey (const string &key_name)
void	ClearKey (const string &key_name)
void	EraseKey (const string &key_name)
const_data_ptr_t	GetKey (const string &key_name) const
string	GetObjectType () override
optional_idx	GetEstimatedCacheMemory () const override

Static Public Member Functions
static EncryptionKeyManager &	GetInternal (ObjectCache &cache)
static EncryptionKeyManager &	Get (ClientContext &context)
static EncryptionKeyManager &	Get (DatabaseInstance &db)
static string	ObjectType ()
static void	DeriveKey (string &user_key, data_ptr_t salt, data_ptr_t derived_key)
static void	KeyDerivationFunctionSHA256 (const_data_ptr_t user_key, idx_t user_key_size, data_ptr_t salt, data_ptr_t derived_key)
static void	KeyDerivationFunctionSHA256 (data_ptr_t user_key, idx_t user_key_size, data_ptr_t salt, data_ptr_t derived_key)
static string	Base64Decode (const string &key)
static string	GenerateRandomKeyID ()
	Generate a (non-cryptographically secure) random key ID.

Static Public Attributes
static constexpr idx_t	KEY_ID_BYTES = 8
	constants
static constexpr idx_t	DERIVED_KEY_LENGTH = 32

Private Attributes
mutex	lock
std::unordered_map< std::string, EncryptionKey >	derived_keys

Member Function Documentation

GetInternal()

EncryptionKeyManager & duckdb::EncryptionKeyManager::GetInternal ( ObjectCache &  cache )

static

                                                                          {
    return *cache.GetOrCreate<EncryptionKeyManager>(EncryptionKeyManager::ObjectType());
}

Get() [1/2]

EncryptionKeyManager & duckdb::EncryptionKeyManager::Get ( ClientContext &  context )

static

                                                                      {
    auto &cache = ObjectCache::GetObjectCache(context);
    return GetInternal(cache);
}

Get() [2/2]

EncryptionKeyManager & duckdb::EncryptionKeyManager::Get ( DatabaseInstance &  db )

static

                                                                    {
    auto &cache = db.GetObjectCache();
    return GetInternal(cache);
}

AddKey()

void duckdb::EncryptionKeyManager::AddKey	(	const string &	key_name,
		data_ptr_t	key
	)

                                                                        {
    lock_guard<mutex> guard(lock);
    derived_keys.emplace(key_name, EncryptionKey(key));
    // Zero-out the input encryption key
    duckdb_mbedtls::MbedTlsWrapper::AESStateMBEDTLS::SecureClearData(key, DERIVED_KEY_LENGTH);
}

HasKey()

bool duckdb::EncryptionKeyManager::HasKey

(

const string &

key_name

)

const

                                                              {
    lock_guard<mutex> guard(lock);
    return derived_keys.find(key_name) != derived_keys.end();
}

DeleteKey()

void duckdb::EncryptionKeyManager::DeleteKey

(

const string &

key_name

)

                                                           {
    lock_guard<mutex> guard(lock);
    ClearKey(key_name);
    EraseKey(key_name);
}

ClearKey()

void duckdb::EncryptionKeyManager::ClearKey

(

const string &

key_name

)

                                                          {
    D_ASSERT(HasKey(key_name));
    auto const key_data = derived_keys.at(key_name).GetData();
    // clear the key (zero-out its memory)
    duckdb_mbedtls::MbedTlsWrapper::AESStateMBEDTLS::SecureClearData(key_data,
                                                                     MainHeader::DEFAULT_ENCRYPTION_KEY_LENGTH);
}

EraseKey()

void duckdb::EncryptionKeyManager::EraseKey

(

const string &

key_name

)

                                                          {
    derived_keys.erase(key_name);
}

GetKey()

const_data_ptr_t duckdb::EncryptionKeyManager::GetKey

(

const string &

key_name

)

const

                                                                          {
    D_ASSERT(HasKey(key_name));
    lock_guard<mutex> guard(lock);
    return derived_keys.at(key_name).GetPtr();
}

ObjectType()

string duckdb::EncryptionKeyManager::ObjectType ( )

static

                                        {
    return "encryption_keys";
}

GetObjectType()

string duckdb::EncryptionKeyManager::GetObjectType ( )

overridevirtual

Implements duckdb::ObjectCacheEntry.

                                           {
    return ObjectType();
}

GetEstimatedCacheMemory()

optional_idx duckdb::EncryptionKeyManager::GetEstimatedCacheMemory ( ) const

inlineoverridevirtual

Get the rough cache memory usage in bytes for this entry. Used for eviction decisions. Return invalid index to prevent eviction.

Implements duckdb::ObjectCacheEntry.

                                                          {
        return optional_idx {};
    }

DeriveKey()

void duckdb::EncryptionKeyManager::DeriveKey ( string &  user_key, data_ptr_t  salt, data_ptr_t  derived_key  )

static

Key is base64 encoded

Todo; check if valid utf-8

                                                                                              {
    string decoded_key;
 
    try {
        decoded_key = Base64Decode(user_key);
    } catch (const ConversionException &e) {
        decoded_key = user_key;
    }
 
    KeyDerivationFunctionSHA256(reinterpret_cast<const_data_ptr_t>(decoded_key.data()), decoded_key.size(), salt,
                                derived_key);
 
    duckdb_mbedtls::MbedTlsWrapper::AESStateMBEDTLS::SecureClearData(data_ptr_cast(&user_key[0]), user_key.size());
    duckdb_mbedtls::MbedTlsWrapper::AESStateMBEDTLS::SecureClearData(data_ptr_cast(&decoded_key[0]),
                                                                     decoded_key.size());
    user_key.clear();
    decoded_key.clear();
}

Here is the call graph for this function:

KeyDerivationFunctionSHA256() [1/2]

void duckdb::EncryptionKeyManager::KeyDerivationFunctionSHA256 ( const_data_ptr_t  user_key, idx_t  user_key_size, data_ptr_t  salt, data_ptr_t  derived_key  )

static

For now, we are only using SHA256 for key derivation

                                                                               {
    duckdb_mbedtls::MbedTlsWrapper::SHA256State state;
    state.AddSalt(salt, MainHeader::DB_IDENTIFIER_LEN);
    state.AddBytes(key, key_size);
    state.FinalizeDerivedKey(derived_key);
}

Here is the caller graph for this function:

KeyDerivationFunctionSHA256() [2/2]

void duckdb::EncryptionKeyManager::KeyDerivationFunctionSHA256 ( data_ptr_t  user_key, idx_t  user_key_size, data_ptr_t  salt, data_ptr_t  derived_key  )

static

                                                                               {
    KeyDerivationFunctionSHA256(reinterpret_cast<const_data_ptr_t>(user_key), user_key_size, salt, derived_key);
}

Base64Decode()

string duckdb::EncryptionKeyManager::Base64Decode ( const string &  key )

static

                                                           {
    auto result_size = Blob::FromBase64Size(key);
    auto output = duckdb::unique_ptr<unsigned char[]>(new unsigned char[result_size]);
    Blob::FromBase64(key, output.get(), result_size);
    string decoded_key(reinterpret_cast<const char *>(output.get()), result_size);
    duckdb_mbedtls::MbedTlsWrapper::AESStateMBEDTLS::SecureClearData(output.get(), result_size);
    return decoded_key;
}

GenerateRandomKeyID()

string duckdb::EncryptionKeyManager::GenerateRandomKeyID ( )

static

Generate a (non-cryptographically secure) random key ID.

                                                 {
    uint8_t key_id[KEY_ID_BYTES];
    RandomEngine engine;
    engine.RandomData(key_id, KEY_ID_BYTES);
    string key_id_str(reinterpret_cast<const char *>(key_id), KEY_ID_BYTES);
    return key_id_str;
}

---

The documentation for this class was generated from the following file:

• external/duckdb/duckdb.cpp