restic/internal/repository/key.go

package repository

import (
	"bytes"
	"context"
	"encoding/json"
	"fmt"
	"os"
	"os/user"
	"time"

	"github.com/restic/restic/internal/errors"
	"github.com/restic/restic/internal/restic"

	"github.com/restic/restic/internal/backend"
	"github.com/restic/restic/internal/crypto"
	"github.com/restic/restic/internal/debug"
)

var (
	// ErrNoKeyFound is returned when no key for the repository could be decrypted.
	ErrNoKeyFound = errors.Fatal("wrong password or no key found")

	// ErrMaxKeysReached is returned when the maximum number of keys was checked and no key could be found.
	ErrMaxKeysReached = errors.Fatal("maximum number of keys reached")
)

// Key represents an encrypted master key for a repository.
type Key struct {
	Created  time.Time `json:"created"`
	Username string    `json:"username"`
	Hostname string    `json:"hostname"`

	KDF  string `json:"kdf"`
	N    int    `json:"N"`
	R    int    `json:"r"`
	P    int    `json:"p"`
	Salt []byte `json:"salt"`
	Data []byte `json:"data"`

	user   *crypto.Key
	master *crypto.Key

	name string
}

// Params tracks the parameters used for the KDF. If not set, it will be
// calibrated on the first run of AddKey().
var Params *crypto.Params

var (
	// KDFTimeout specifies the maximum runtime for the KDF.
	KDFTimeout = 500 * time.Millisecond

	// KDFMemory limits the memory the KDF is allowed to use.
	KDFMemory = 60
)

// createMasterKey creates a new master key in the given backend and encrypts
// it with the password.
func createMasterKey(s *Repository, password string) (*Key, error) {
	return AddKey(context.TODO(), s, password, nil)
}

// OpenKey tries do decrypt the key specified by name with the given password.
func OpenKey(ctx context.Context, s *Repository, name string, password string) (*Key, error) {
	k, err := LoadKey(ctx, s, name)
	if err != nil {
		debug.Log("LoadKey(%v) returned error %v", name, err)
		return nil, err
	}

	// check KDF
	if k.KDF != "scrypt" {
		return nil, errors.New("only supported KDF is scrypt()")
	}

	// derive user key
	params := crypto.Params{
		N: k.N,
		R: k.R,
		P: k.P,
	}
	k.user, err = crypto.KDF(params, k.Salt, password)
	if err != nil {
		return nil, errors.Wrap(err, "crypto.KDF")
	}

	// decrypt master keys
	buf := make([]byte, len(k.Data))
	n, err := k.user.Decrypt(buf, k.Data)
	if err != nil {
		return nil, err
	}
	buf = buf[:n]

	// restore json
	k.master = &crypto.Key{}
	err = json.Unmarshal(buf, k.master)
	if err != nil {
		debug.Log("Unmarshal() returned error %v", err)
		return nil, errors.Wrap(err, "Unmarshal")
	}
	k.name = name

	if !k.Valid() {
		return nil, errors.New("Invalid key for repository")
	}

	return k, nil
}

// SearchKey tries to decrypt at most maxKeys keys in the backend with the
// given password. If none could be found, ErrNoKeyFound is returned. When
// maxKeys is reached, ErrMaxKeysReached is returned. When setting maxKeys to
// zero, all keys in the repo are checked.
func SearchKey(ctx context.Context, s *Repository, password string, maxKeys int) (*Key, error) {
	checked := 0

	// try at most maxKeysForSearch keys in repo
	for name := range s.Backend().List(ctx, restic.KeyFile) {
		if maxKeys > 0 && checked > maxKeys {
			return nil, ErrMaxKeysReached
		}

		debug.Log("trying key %q", name)
		key, err := OpenKey(ctx, s, name, password)
		if err != nil {
			debug.Log("key %v returned error %v", name, err)

			// ErrUnauthenticated means the password is wrong, try the next key
			if errors.Cause(err) == crypto.ErrUnauthenticated {
				continue
			}

			if err != nil {
				debug.Log("unable to open key %v: %v\n", err)
				continue
			}
		}

		debug.Log("successfully opened key %v", name)
		return key, nil
	}

	return nil, ErrNoKeyFound
}

// LoadKey loads a key from the backend.
func LoadKey(ctx context.Context, s *Repository, name string) (k *Key, err error) {
	h := restic.Handle{Type: restic.KeyFile, Name: name}
	data, err := backend.LoadAll(ctx, s.be, h)
	if err != nil {
		return nil, err
	}

	k = &Key{}
	err = json.Unmarshal(data, k)
	if err != nil {
		return nil, errors.Wrap(err, "Unmarshal")
	}

	return k, nil
}

// AddKey adds a new key to an already existing repository.
func AddKey(ctx context.Context, s *Repository, password string, template *crypto.Key) (*Key, error) {
	// make sure we have valid KDF parameters
	if Params == nil {
		p, err := crypto.Calibrate(KDFTimeout, KDFMemory)
		if err != nil {
			return nil, errors.Wrap(err, "Calibrate")
		}

		Params = &p
		debug.Log("calibrated KDF parameters are %v", p)
	}

	// fill meta data about key
	newkey := &Key{
		Created: time.Now(),
		KDF:     "scrypt",
		N:       Params.N,
		R:       Params.R,
		P:       Params.P,
	}

	hn, err := os.Hostname()
	if err == nil {
		newkey.Hostname = hn
	}

	usr, err := user.Current()
	if err == nil {
		newkey.Username = usr.Username
	}

	// generate random salt
	newkey.Salt, err = crypto.NewSalt()
	if err != nil {
		panic("unable to read enough random bytes for salt: " + err.Error())
	}

	// call KDF to derive user key
	newkey.user, err = crypto.KDF(*Params, newkey.Salt, password)
	if err != nil {
		return nil, err
	}

	if template == nil {
		// generate new random master keys
		newkey.master = crypto.NewRandomKey()
	} else {
		// copy master keys from old key
		newkey.master = template
	}

	// encrypt master keys (as json) with user key
	buf, err := json.Marshal(newkey.master)
	if err != nil {
		return nil, errors.Wrap(err, "Marshal")
	}

	newkey.Data, err = newkey.user.Encrypt(nil, buf)

	// dump as json
	buf, err = json.Marshal(newkey)
	if err != nil {
		return nil, errors.Wrap(err, "Marshal")
	}

	// store in repository and return
	h := restic.Handle{
		Type: restic.KeyFile,
		Name: restic.Hash(buf).String(),
	}

	err = s.be.Save(ctx, h, bytes.NewReader(buf))
	if err != nil {
		return nil, err
	}

	newkey.name = h.Name

	return newkey, nil
}

func (k *Key) String() string {
	if k == nil {
		return "<Key nil>"
	}
	return fmt.Sprintf("<Key of %s@%s, created on %s>", k.Username, k.Hostname, k.Created)
}

// Name returns an identifier for the key.
func (k Key) Name() string {
	return k.name
}

// Valid tests whether the mac and encryption keys are valid (i.e. not zero)
func (k *Key) Valid() bool {
	return k.user.Valid() && k.master.Valid()
}
Move package 'repo' to package 'repository' 2015-05-09 23:52:03 +02:00			`package repository`
Add decrypt, refactor 2014-09-23 22:39:12 +02:00
			`import (`
Change backend Save() function signature 2017-01-22 12:32:20 +01:00			`"bytes"`
Add context to restic packages 2017-06-04 11:16:55 +02:00			`"context"`
Add decrypt, refactor 2014-09-23 22:39:12 +02:00			`"encoding/json"`
			`"fmt"`
			`"os"`
			`"os/user"`
			`"time"`

Run goimports 2017-07-23 14:21:03 +02:00			`"github.com/restic/restic/internal/errors"`
Move restic package to internal/restic 2017-07-24 17:42:25 +02:00			`"github.com/restic/restic/internal/restic"`
Run goimports 2017-07-23 14:21:03 +02:00
			`"github.com/restic/restic/internal/backend"`
			`"github.com/restic/restic/internal/crypto"`
			`"github.com/restic/restic/internal/debug"`
Add decrypt, refactor 2014-09-23 22:39:12 +02:00			`)`

			`var (`
Rework key.go, add Comments 2014-11-15 17:17:24 +01:00			`// ErrNoKeyFound is returned when no key for the repository could be decrypted.`
Handle invalid key file 2017-09-10 10:55:01 +02:00			`ErrNoKeyFound = errors.Fatal("wrong password or no key found")`
Limit the number of key files checked on SearchKey 2016-08-21 13:09:31 +02:00
			`// ErrMaxKeysReached is returned when the maximum number of keys was checked and no key could be found.`
Handle invalid key file 2017-09-10 10:55:01 +02:00			`ErrMaxKeysReached = errors.Fatal("maximum number of keys reached")`
Add decrypt, refactor 2014-09-23 22:39:12 +02:00			`)`

Rework key.go, add Comments 2014-11-15 17:17:24 +01:00			`// Key represents an encrypted master key for a repository.`
Add decrypt, refactor 2014-09-23 22:39:12 +02:00			`type Key struct {`
			Created time.Time `json:"created"`
			Username string `json:"username"`
			Hostname string `json:"hostname"`

			KDF string `json:"kdf"`
			N int `json:"N"`
			R int `json:"r"`
			P int `json:"p"`
			Salt []byte `json:"salt"`
			Data []byte `json:"data"`

Rename crypto functions and constants 2015-04-12 09:41:47 +02:00			`user *crypto.Key`
			`master *crypto.Key`
Add command "key rm" 2014-11-25 23:18:02 +01:00
Refactor backends 2015-03-28 11:50:23 +01:00			`name string`
Add decrypt, refactor 2014-09-23 22:39:12 +02:00			`}`

Rename KDFParams -> Params 2017-10-28 10:28:29 +02:00			`// Params tracks the parameters used for the KDF. If not set, it will be`
Calibrate scrypt for the current hardware Closes #17 2016-08-21 12:32:38 +02:00			`// calibrated on the first run of AddKey().`
Rename KDFParams -> Params 2017-10-28 10:28:29 +02:00			`var Params *crypto.Params`
Calibrate scrypt for the current hardware Closes #17 2016-08-21 12:32:38 +02:00
			`var (`
Fix commets for constants 2016-08-21 13:13:05 +02:00			`// KDFTimeout specifies the maximum runtime for the KDF.`
			`KDFTimeout = 500 * time.Millisecond`

			`// KDFMemory limits the memory the KDF is allowed to use.`
			`KDFMemory = 60`
Calibrate scrypt for the current hardware Closes #17 2016-08-21 12:32:38 +02:00			`)`

server: Add config 2015-05-03 17:37:12 +02:00			`// createMasterKey creates a new master key in the given backend and encrypts`
server/key: Rename CreateKey -> CreateMasterKey 2015-05-03 17:17:10 +02:00			`// it with the password.`
Rename 'Repo' -> 'Repository' 2015-05-09 23:59:58 +02:00			`func createMasterKey(s Repository, password string) (Key, error) {`
Add context to restic packages 2017-06-04 11:16:55 +02:00			`return AddKey(context.TODO(), s, password, nil)`
Add decrypt, refactor 2014-09-23 22:39:12 +02:00			`}`

Refactor backends 2015-03-28 11:50:23 +01:00			`// OpenKey tries do decrypt the key specified by name with the given password.`
Add context to restic packages 2017-06-04 11:16:55 +02:00			`func OpenKey(ctx context.Context, s Repository, name string, password string) (Key, error) {`
			`k, err := LoadKey(ctx, s, name)`
Add decrypt, refactor 2014-09-23 22:39:12 +02:00			`if err != nil {`
Always use long name for keys Otherwise the code panics if a file with a short name is tried. 2017-09-10 15:35:02 +02:00			`debug.Log("LoadKey(%v) returned error %v", name, err)`
Add decrypt, refactor 2014-09-23 22:39:12 +02:00			`return nil, err`
			`}`

			`// check KDF`
			`if k.KDF != "scrypt" {`
			`return nil, errors.New("only supported KDF is scrypt()")`
			`}`

			`// derive user key`
Rename KDFParams -> Params 2017-10-28 10:28:29 +02:00			`params := crypto.Params{`
Calibrate scrypt for the current hardware Closes #17 2016-08-21 12:32:38 +02:00			`N: k.N,`
			`R: k.R,`
			`P: k.P,`
			`}`
			`k.user, err = crypto.KDF(params, k.Salt, password)`
Add decrypt, refactor 2014-09-23 22:39:12 +02:00			`if err != nil {`
Wrap errors #3 2016-08-29 22:16:58 +02:00			`return nil, errors.Wrap(err, "crypto.KDF")`
Add decrypt, refactor 2014-09-23 22:39:12 +02:00			`}`

			`// decrypt master keys`
Rework crypto, use restic.Repository everywhere 2016-09-03 13:34:04 +02:00			`buf := make([]byte, len(k.Data))`
crypto: Make Encrypt/Decrypt a method of *Key 2017-06-19 21:12:53 +02:00			`n, err := k.user.Decrypt(buf, k.Data)`
Add decrypt, refactor 2014-09-23 22:39:12 +02:00			`if err != nil {`
			`return nil, err`
			`}`
Rework crypto, use restic.Repository everywhere 2016-09-03 13:34:04 +02:00			`buf = buf[:n]`
Add decrypt, refactor 2014-09-23 22:39:12 +02:00
			`// restore json`
Rename crypto functions and constants 2015-04-12 09:41:47 +02:00			`k.master = &crypto.Key{}`
Add decrypt, refactor 2014-09-23 22:39:12 +02:00			`err = json.Unmarshal(buf, k.master)`
			`if err != nil {`
Update calls to debug.Log() 2016-09-27 22:35:08 +02:00			`debug.Log("Unmarshal() returned error %v", err)`
Wrap errors #3 2016-08-29 22:16:58 +02:00			`return nil, errors.Wrap(err, "Unmarshal")`
Add decrypt, refactor 2014-09-23 22:39:12 +02:00			`}`
Refactor backends 2015-03-28 11:50:23 +01:00			`k.name = name`
Add decrypt, refactor 2014-09-23 22:39:12 +02:00
Add test for invalid (=zero) crypto keys 2015-05-01 17:31:57 +02:00			`if !k.Valid() {`
			`return nil, errors.New("Invalid key for repository")`
Seed chunker with random per-repository polynomial 2015-04-06 00:22:19 +02:00			`}`

Add decrypt, refactor 2014-09-23 22:39:12 +02:00			`return k, nil`
			`}`

Limit the number of key files checked on SearchKey 2016-08-21 13:09:31 +02:00			`// SearchKey tries to decrypt at most maxKeys keys in the backend with the`
			`// given password. If none could be found, ErrNoKeyFound is returned. When`
			`// maxKeys is reached, ErrMaxKeysReached is returned. When setting maxKeys to`
			`// zero, all keys in the repo are checked.`
Add context to restic packages 2017-06-04 11:16:55 +02:00			`func SearchKey(ctx context.Context, s Repository, password string, maxKeys int) (Key, error) {`
Limit the number of key files checked on SearchKey 2016-08-21 13:09:31 +02:00			`checked := 0`

			`// try at most maxKeysForSearch keys in repo`
Add context to restic packages 2017-06-04 11:16:55 +02:00			`for name := range s.Backend().List(ctx, restic.KeyFile) {`
Limit the number of key files checked on SearchKey 2016-08-21 13:09:31 +02:00			`if maxKeys > 0 && checked > maxKeys {`
			`return nil, ErrMaxKeysReached`
			`}`

Fix panic when file name is too short Closes #1204 2017-09-09 10:50:32 +02:00			`debug.Log("trying key %q", name)`
Add context to restic packages 2017-06-04 11:16:55 +02:00			`key, err := OpenKey(ctx, s, name, password)`
Add decrypt, refactor 2014-09-23 22:39:12 +02:00			`if err != nil {`
Always use long name for keys Otherwise the code panics if a file with a short name is tried. 2017-09-10 15:35:02 +02:00			`debug.Log("key %v returned error %v", name, err)`
Limit the number of key files checked on SearchKey 2016-08-21 13:09:31 +02:00
			`// ErrUnauthenticated means the password is wrong, try the next key`
Always use errors.Cause() for testing error values 2016-08-29 19:18:57 +02:00			`if errors.Cause(err) == crypto.ErrUnauthenticated {`
Limit the number of key files checked on SearchKey 2016-08-21 13:09:31 +02:00			`continue`
			`}`

Handle invalid key file 2017-09-10 10:55:01 +02:00			`if err != nil {`
			`debug.Log("unable to open key %v: %v\n", err)`
			`continue`
			`}`
Add decrypt, refactor 2014-09-23 22:39:12 +02:00			`}`

Always use long name for keys Otherwise the code panics if a file with a short name is tried. 2017-09-10 15:35:02 +02:00			`debug.Log("successfully opened key %v", name)`
Add decrypt, refactor 2014-09-23 22:39:12 +02:00			`return key, nil`
			`}`

			`return nil, ErrNoKeyFound`
			`}`

Remove Each(), add basic stats 2015-02-17 23:05:23 +01:00			`// LoadKey loads a key from the backend.`
Add context to restic packages 2017-06-04 11:16:55 +02:00			`func LoadKey(ctx context.Context, s Repository, name string) (k Key, err error) {`
Rename struct member FileType -> Type 2016-09-01 21:19:30 +02:00			`h := restic.Handle{Type: restic.KeyFile, Name: name}`
Add context to restic packages 2017-06-04 11:16:55 +02:00			`data, err := backend.LoadAll(ctx, s.be, h)`
Remove Each(), add basic stats 2015-02-17 23:05:23 +01:00			`if err != nil {`
			`return nil, err`
			`}`

repository/key: Use Load() instead of GetReader() 2016-01-23 23:48:19 +01:00			`k = &Key{}`
			`err = json.Unmarshal(data, k)`
Remove Each(), add basic stats 2015-02-17 23:05:23 +01:00			`if err != nil {`
Wrap errors #3 2016-08-29 22:16:58 +02:00			`return nil, errors.Wrap(err, "Unmarshal")`
Remove Each(), add basic stats 2015-02-17 23:05:23 +01:00			`}`

Add error checking 2015-11-18 20:33:20 +01:00			`return k, nil`
Remove Each(), add basic stats 2015-02-17 23:05:23 +01:00			`}`

Add command "key add" 2014-11-25 23:07:00 +01:00			`// AddKey adds a new key to an already existing repository.`
Add context to restic packages 2017-06-04 11:16:55 +02:00			`func AddKey(ctx context.Context, s Repository, password string, template crypto.Key) (*Key, error) {`
Calibrate scrypt for the current hardware Closes #17 2016-08-21 12:32:38 +02:00			`// make sure we have valid KDF parameters`
Rename KDFParams -> Params 2017-10-28 10:28:29 +02:00			`if Params == nil {`
Calibrate scrypt for the current hardware Closes #17 2016-08-21 12:32:38 +02:00			`p, err := crypto.Calibrate(KDFTimeout, KDFMemory)`
			`if err != nil {`
Wrap errors #3 2016-08-29 22:16:58 +02:00			`return nil, errors.Wrap(err, "Calibrate")`
Calibrate scrypt for the current hardware Closes #17 2016-08-21 12:32:38 +02:00			`}`

Rename KDFParams -> Params 2017-10-28 10:28:29 +02:00			`Params = &p`
Update calls to debug.Log() 2016-09-27 22:35:08 +02:00			`debug.Log("calibrated KDF parameters are %v", p)`
Calibrate scrypt for the current hardware Closes #17 2016-08-21 12:32:38 +02:00			`}`

Add command "key add" 2014-11-25 23:07:00 +01:00			`// fill meta data about key`
			`newkey := &Key{`
			`Created: time.Now(),`
			`KDF: "scrypt",`
Rename KDFParams -> Params 2017-10-28 10:28:29 +02:00			`N: Params.N,`
			`R: Params.R,`
			`P: Params.P,`
Add command "key add" 2014-11-25 23:07:00 +01:00			`}`

			`hn, err := os.Hostname()`
			`if err == nil {`
			`newkey.Hostname = hn`
			`}`

			`usr, err := user.Current()`
			`if err == nil {`
			`newkey.Username = usr.Username`
			`}`

			`// generate random salt`
Calibrate scrypt for the current hardware Closes #17 2016-08-21 12:32:38 +02:00			`newkey.Salt, err = crypto.NewSalt()`
			`if err != nil {`
			`panic("unable to read enough random bytes for salt: " + err.Error())`
Add command "key add" 2014-11-25 23:07:00 +01:00			`}`

Refactor crypto layer, switch HMAC for Poyl1305-AES HMAC-SHA256 calls SHA256() twice which is very expensive. Therefore, this commit uses Poly1305-AES instead of HMAC-SHA256. benchcmp: benchmark old ns/op new ns/op delta BenchmarkChunkEncrypt 261033772 195114818 -25.25% BenchmarkChunkEncryptParallel 260973195 195787368 -24.98% BenchmarkArchiveDirectory 1050500651 1002615884 -4.56% BenchmarkPreload 23544286 24994508 +6.16% BenchmarkLoadTree 350065 427665 +22.17% BenchmarkEncryptWriter 87789753 31069126 -64.61% BenchmarkEncrypt 88283197 38259043 -56.66% BenchmarkDecryptReader 90478843 40714818 -55.00% BenchmarkEncryptDecryptReader 179917626 81231730 -54.85% BenchmarkDecrypt 87871591 37784207 -57.00% BenchmarkSaveJSON 52481 56861 +8.35% BenchmarkSaveFrom 75404085 51108596 -32.22% BenchmarkLoadJSONID 90545437 82696805 -8.67% benchmark old MB/s new MB/s speedup BenchmarkChunkEncrypt 40.17 53.74 1.34x BenchmarkChunkEncryptParallel 40.18 53.56 1.33x BenchmarkEncryptWriter 95.55 270.00 2.83x BenchmarkEncrypt 95.02 219.26 2.31x BenchmarkDecryptReader 92.71 206.03 2.22x BenchmarkEncryptDecryptReader 46.62 103.27 2.22x BenchmarkDecrypt 95.46 222.01 2.33x BenchmarkSaveFrom 55.62 82.07 1.48x benchmark old allocs new allocs delta BenchmarkChunkEncrypt 112 110 -1.79% BenchmarkChunkEncryptParallel 103 100 -2.91% BenchmarkArchiveDirectory 383704 392083 +2.18% BenchmarkPreload 21765 21874 +0.50% BenchmarkLoadTree 341 436 +27.86% BenchmarkEncryptWriter 20 17 -15.00% BenchmarkEncrypt 14 13 -7.14% BenchmarkDecryptReader 18 15 -16.67% BenchmarkEncryptDecryptReader 46 39 -15.22% BenchmarkDecrypt 16 12 -25.00% BenchmarkSaveJSON 81 86 +6.17% BenchmarkSaveFrom 117 121 +3.42% BenchmarkLoadJSONID 80525 80264 -0.32% benchmark old bytes new bytes delta BenchmarkChunkEncrypt 118956 64697 -45.61% BenchmarkChunkEncryptParallel 118972 64681 -45.63% BenchmarkArchiveDirectory 160236600 177498232 +10.77% BenchmarkPreload 2772488 3302992 +19.13% BenchmarkLoadTree 49102 46484 -5.33% BenchmarkEncryptWriter 28927 8388146 +28897.64% BenchmarkEncrypt 2473 1950 -21.15% BenchmarkDecryptReader 527827 2774 -99.47% BenchmarkEncryptDecryptReader 4100875 1528036 -62.74% BenchmarkDecrypt 2509 2154 -14.15% BenchmarkSaveJSON 4971 5892 +18.53% BenchmarkSaveFrom 40117 31742 -20.88% BenchmarkLoadJSONID 9444217 9442106 -0.02% This closes #102. 2015-03-14 19:53:51 +01:00			`// call KDF to derive user key`
Rename KDFParams -> Params 2017-10-28 10:28:29 +02:00			`newkey.user, err = crypto.KDF(*Params, newkey.Salt, password)`
Add command "key add" 2014-11-25 23:07:00 +01:00			`if err != nil {`
			`return nil, err`
			`}`

Reduce code duplication in key handling 2014-12-21 18:16:22 +01:00			`if template == nil {`
			`// generate new random master keys`
crypto.go nitpicks 2015-04-29 22:28:34 -04:00			`newkey.master = crypto.NewRandomKey()`
Reduce code duplication in key handling 2014-12-21 18:16:22 +01:00			`} else {`
			`// copy master keys from old key`
server: Only save crypto.Key At the moment, the server doesn't need the full server.Key (master and user key), just the master key. 2015-05-03 18:04:13 +02:00			`newkey.master = template`
Reduce code duplication in key handling 2014-12-21 18:16:22 +01:00			`}`
Add command "key add" 2014-11-25 23:07:00 +01:00
			`// encrypt master keys (as json) with user key`
			`buf, err := json.Marshal(newkey.master)`
			`if err != nil {`
Wrap errors #3 2016-08-29 22:16:58 +02:00			`return nil, errors.Wrap(err, "Marshal")`
Add command "key add" 2014-11-25 23:07:00 +01:00			`}`

crypto: Make Encrypt/Decrypt a method of *Key 2017-06-19 21:12:53 +02:00			`newkey.Data, err = newkey.user.Encrypt(nil, buf)`
Add command "key add" 2014-11-25 23:07:00 +01:00
			`// dump as json`
			`buf, err = json.Marshal(newkey)`
			`if err != nil {`
Wrap errors #3 2016-08-29 22:16:58 +02:00			`return nil, errors.Wrap(err, "Marshal")`
Add command "key add" 2014-11-25 23:07:00 +01:00			`}`

			`// store in repository and return`
wip 2016-08-31 20:29:54 +02:00			`h := restic.Handle{`
Rename struct member FileType -> Type 2016-09-01 21:19:30 +02:00			`Type: restic.KeyFile,`
			`Name: restic.Hash(buf).String(),`
Simply backend interface Rename CreateBlob() method to Create(), remove old Create* methods 2015-02-15 17:26:08 +01:00			`}`

Add context to restic packages 2017-06-04 11:16:55 +02:00			`err = s.be.Save(ctx, h, bytes.NewReader(buf))`
Simply backend interface Rename CreateBlob() method to Create(), remove old Create* methods 2015-02-15 17:26:08 +01:00			`if err != nil {`
			`return nil, err`
			`}`

Key: Use Save() instead of Create() 2016-01-24 17:52:44 +01:00			`newkey.name = h.Name`
Add command "key add" 2014-11-25 23:07:00 +01:00
Reduce code duplication in key handling 2014-12-21 18:16:22 +01:00			`return newkey, nil`
Add command "key add" 2014-11-25 23:07:00 +01:00			`}`

Add decrypt, refactor 2014-09-23 22:39:12 +02:00			`func (k *Key) String() string {`
			`if k == nil {`
			`return "<Key nil>"`
			`}`
			`return fmt.Sprintf("<Key of %s@%s, created on %s>", k.Username, k.Hostname, k.Created)`
			`}`
Add command "key rm" 2014-11-25 23:18:02 +01:00
Add comment 2016-01-23 23:27:40 +01:00			`// Name returns an identifier for the key.`
Refactor backends 2015-03-28 11:50:23 +01:00			`func (k Key) Name() string {`
			`return k.name`
Add command "key rm" 2014-11-25 23:18:02 +01:00			`}`
Add test for invalid (=zero) crypto keys 2015-05-01 17:31:57 +02:00
			`// Valid tests whether the mac and encryption keys are valid (i.e. not zero)`
			`func (k *Key) Valid() bool {`
			`return k.user.Valid() && k.master.Valid()`
			`}`