UnknownCryptoError when encrypting

[Jytesh]

use orion::aead as crypto;

pub fn enrypt_string(string: String, password: String) -> Result<Vec<u8>, orion::errors::UnknownCryptoError>{
    println!("{:?}", password.as_bytes());
    let passphrase = crypto::SecretKey::from_slice(password.as_bytes()).expect("Failed to encrypt password");
    println!("{:?} {:?}", passphrase, string.as_bytes());
    let ciphertext = crypto::seal(&passphrase, &string.as_bytes()).expect("Failed to encrypt text");
    Ok(ciphertext)
}

Panics at

normalpassword
TESTING CRYPTO
[110, 111, 114, 109, 97, 108, 112, 97, 115, 115, 119, 111, 114, 100]
SecretKey {***OMITTED***} [84, 69, 83, 84, 73, 78, 71, 32, 67, 82, 89, 80, 84, 79]
thread 'main' panicked at 'Failed to encrypt text: UnknownCryptoError', src/crypto.rs:7:68
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

[Jytesh]

I changed the secretkey method to default() and it works now, but I want a user inputted password

[brycx]

Hi!

If you take a peek at the errors documentation, you'll see that the first one says that the secret_key must be 32 bytes. The password you use here is however only 14 bytes. You can use the .len() function on a SecretKey instance to check if it is upheld. default() randomly generates 32 bytes, which is why it works.

In practice, please note that using user-passwords directly to encrypt data is not secure. You can use orion::kdf to "stretch" the password before using it for encryption. There is also an example in that module for this exact use-case.

Don't hesitate to let us know if there's anything else!

[Jytesh]

fn stretch_passphrase(passphrase: String) -> crypto::SecretKey {
    let user_password = kdf::Password::from_slice(passphrase.as_bytes()).unwrap();
    let salt = kdf::Salt::default();

    let derived_key = kdf::derive_key(&user_password, &salt, 3, 1<<16, 32).unwrap();
    return derived_key;
}

Current doing this but the default salt is randomly generated so the stretched password isn't the same

[brycx]

If you have a file, the common approach is to randomly generate the salt for a given file, write the salt to the file as the first n bytes, then write the encrypted data afterwards. Then, when you want to decrypt, you read the salt from the encrypted file and use that to re-create the derived key. Afterwards, you can decrypt the rest of the file.

[Jytesh]

Okay I will try that

[Jytesh]

works! I have successfully encrypted and decrypted! ❤️

[Jytesh]

https://github.com/Jytesh/file-crypto-cli :)