Encryption Keys

library(rmonocypher)

Encryption Keys

An encryption key is the core secret data used to encrypt/decrypt an object.

Without knowing the encryption key, it is not possible to decrypt the data.

It is important to save this key securely.

Encryption keys must be 32 bytes of difficult to guess values, and the {rmonocypher} package has a number of ways of making keys easy to handle.

The key for encryption may be one of:

  • A password
  • A 32-byte raw vector
  • A 64-character hexadecimal string

Use a password as the key

When using encrypt(..., key = ...), the key may simply be given as a password. This password may be any text (including spaces and special characters).

Internally, this password will be processed into a full 32-byte encryption key using Argon2 password-based key derivation (see below).

Generate a key using Argon2 Key Derivation Function

An encryption key may be generated by a password prior to the call to encrypt().

The argon2() function implements Argon2 password-based key derivation. This is a resource intensive password-based key derivation scheme (i.e. requires lots of CPU and RAM to run) which is difficult to brute-force.

For applications requiring more paranoia, it is recommended that an explicit salt be used. Don’t forget to save the salt as well, because without it you will not be able to generate the same encryption key.

# When no salt is provided, a salt will be 
# derived internally from the password. 
argon2("my secret")
#> [1] "bd7549bef4100b888c47e421b03c52fee58b285fcc40dfa4c0502689c4ed16d0"
# Use another password as the salt
argon2("my secret", salt = "salt and vinegar")
#> [1] "16df2856ba2ecc020ff506831a691b1d92616948197fb74fa651bfc89cad65e4"
# Use a 32-character hexadecimal string as the salt
argon2("my secret", salt = "cefca6aafae5bdbc15977fd56ea7f1eb")
#> [1] "2216b700af05984f21d7465487f21de0096f7aaa164d2b56c54803e3891ec071"
# Use 'rbyte()' to source 16 random bytes for the salt
salt <- rbyte(16)
argon2("my secret", salt = salt)
#> [1] "8ff3e1950878fa86a4ece61e72519602e24f99ff3d798caaf428ac2fbada8658"

Setting a global key in options()

You may wish to load a pre-generated key at the start of a session and use this throughout.

If no key is provided, the encrypt() and decrypt() functions attempt to use a key stored in the named option: MONOCYPHER_KEY.

# Create a key and set via options() 
key <- argon2("horse battery stapler")
options(MONOCYPHER_KEY = key)

encrypt(mydata, dst = "SharedDrive/mydata.rds")
decrypt(        src = "SharedDrive/mydata.rds")

Use raw bytes as the key

The key may also be a raw vector containing 32 bytes.

If using random bytes for the key, it is important that they be generated from a cryptographically secure source e.g. rbyte().

Be sure to save this key, as it will not be possible to generate this exact same random sequence again.

key <- rbyte(32, type = 'raw')
key
#>  [1] 70 40 16 74 6b 26 7c c3 a9 db c3 12 5b 2f 05 03 d8 e0 ee 43 4c 89 56 09 58
#> [26] 05 fd ba 75 2c e9 66

Use hexadecimal string as a key

The key may be given as a 64-character hexadecimal string.

If this key is generated using rbyte(), be sure to save this key as it will not be possible to generate this exact same random sequence again.

key <- rbyte(32, type = 'chr')
key
#> [1] "70bd98b5bf562120560614b9a764f9e3b431cf76e316849ed48f094fb003866a"