Argon2 the second part: implement key encryption / decryption

[hexagonrecursion]

Note: this PR is not yet complete. I am submitting it to try running CI

This is the second part of #747

~~ - [x] Add code in decrypt_key_file necessary to be able to decrypt v2 keys ~~
~~ - [x] Implement encryption of keys in the new format ~~
See new TODO

This PR includes #6468

[codecov-commenter]

Codecov Report

Merging #6469 (1aa652e) into master (312cae5) will increase coverage by 0.32%.
The diff coverage is 89.47%.

@@            Coverage Diff             @@
##           master    #6469      +/-   ##
==========================================
+ Coverage   82.76%   83.09%   +0.32%     
==========================================
  Files          39       39              
  Lines       10655    10573      -82     
  Branches     2089     2069      -20     
==========================================
- Hits         8819     8786      -33     
+ Misses       1327     1286      -41     
+ Partials      509      501       -8     

Impacted Files	Coverage Δ
src/borg/helpers/passphrase.py	77.87% <66.66%> (+2.17%)	⬆️
src/borg/crypto/key.py	92.08% <91.30%> (+0.96%)	⬆️
src/borg/archiver.py	78.43% <100.00%> (+0.29%)	⬆️
src/borg/constants.py	100.00% <100.00%> (ø)
src/borg/upgrader.py	36.58% <0.00%> (-26.64%)	⬇️
src/borg/helpers/parseformat.py	90.04% <0.00%> (+0.01%)	⬆️
src/borg/archive.py	81.70% <0.00%> (+0.09%)	⬆️
src/borg/repository.py	84.19% <0.00%> (+0.11%)	⬆️
... and 1 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 28731c5...1aa652e. Read the comment docs.

[hexagonrecursion]

After refreshing my memory of Encrypt-then-MAC vs Encrypt-and-MAC vs MAC-then-Encrypt I feel like I would prefer to use a high level API that just does the right thing. Do you have one? If not I'll try to Encrypt-then-MAC. How hard can it be to remember to MAC all the bits in the message that affect the decryption?

[hexagonrecursion]

Done. I will mark this as ready for review after #6468 is merged.

[hexagonrecursion]

Note: a malicious key file might be able to perform denial of service e.g. by causing us to allocate too much RAM

[ThomasWaldmann]

About DoS via expensive argon2 parameters in key file: guess if someone wants to annoy you and has write access to your key files, they can do worse than that, like e.g. just delete the key files.

[hexagonrecursion]

This should be ready now.

[ThomasWaldmann]

maybe also do the "encrypt key file" here?

[hexagonrecursion]

maybe also do the "encrypt key file" here?

back to draft then

[hexagonrecursion]

Things left to do before this PR is ready:

• Fix passphrase retry bug
• borg init - defalt to argon2
• borg key change-passphrase - keep key algorithm the same
• borg key change-location - keep key algorithm the same

[ThomasWaldmann]

looks good so far. TBD yet whether we should rather use the recommended or 2nd recommended profile for argon2.

problem is that we have quite widespread use cases, some people use borg on their old raspi or on their mobile phone, other use it on server / workstation class hardware with lots of memory.

one way to solve that would be that memory limited users keep using pbkdf2 while we use the high-memory profile for argon2 for everybody else. another way would be to offer both argon2 profiles, so people with low memory do not need to use the old crap. :-)

[hexagonrecursion]

Should we run testsuite/benchmark.py at full KDF strength? I feel that weakening KDF may defeat the point of a benchmark.

[ThomasWaldmann]

Not sure about the benchmarks, but I guess:

• we do not intend to performance optimise the kdf code, so having it at full strength would not add value to the benchmark results
• it would increase resource usage and slow down the benchmarks
• especially this could become an issue if we go for argon2 rfc profile 1 in the end, which has much higher resource usage

[hexagonrecursion]

I am starting one more experiment to see the difference between skipping KDF entirely and weakening its parameters

https://github.com/hexagonrecursion/borg/actions/runs/2087617735

[ThomasWaldmann]

Skip and weaken are often rather close. What are the differences between benchmark 0..3 configuration?

[hexagonrecursion]

My data tells me that TESTONLY_MOCK_KDF=weaken and TESTONLY_MOCK_KDF=skip performed essentially identically.

Which approach would you prefer?

1. Skip the KDF entirely
2. Weaken the KDF

• A. Use the environment variable
• B. Patch a python variable in contest.py

I will happily implement any combination

[ThomasWaldmann]

• weaken (because it basically still executes kdf code normally, just with other params)
• env var (because, as you discovered, only that works for ArchiverTestCaseBinary)

[hexagonrecursion]

What are the differences between benchmark 0..3 configuration?

None. I wanted to be confident in my methodology so I repeat the same test 4 times. I got consistent results as expected.

I have submitted one final benchmark - to verify that the performance improvement matches our expectation https://github.com/hexagonrecursion/borg/actions/runs/2094039179

My plan is to start working on borg key change-algorithm after this is merged. After that is merged too I'll work on adding an argon2 benchmark to borg benchmark cpu and after that I'll work on the changelog and usage docs.

[ThomasWaldmann]

The benchmark run you linked above did not work, rc == 1.

[hexagonrecursion]

Thanks. I have started a run with --show-output to see what failed https://github.com/hexagonrecursion/borg/actions/runs/2096410352

[hexagonrecursion]

Mission success https://github.com/hexagonrecursion/borg/actions/runs/2097120013

[hexagonrecursion]

Are we ready merge this now or are we going to expand the scope of this PR again?

[ThomasWaldmann]

could the code from yes module be used here?

as it is, there is some danger that people set this to 0 or 1.

[ThomasWaldmann]

if not:

os.environ.get("BORG_TESTONLY_WEAKEN_KDF", "0") == "1"

[hexagonrecursion]

if not:

os.environ.get("BORG_TESTONLY_WEAKEN_KDF", "0") == "1"

Good idea! This have not occurred to me

[ThomasWaldmann]

typo

[ThomasWaldmann]

did a full review again and found some minor stuff.

[ThomasWaldmann]

just for consistency: can you please give --key-algorithm in the same way as --encryption?

please fix all places with this.

[ThomasWaldmann]

well, guess this test should start from pbkdf2 key, because:

• this is what people usually have now
• we would change algorithm pbkdf2 -> argon2 (but not argon2 -> pbkdf2) if we would do automated upgrades on change passphrase. so if you want to make sure here that we do not upgrade, you need to use the constellation that would actually get upgraded.

[ThomasWaldmann]

same here, needs to start from pbkdf2.

[ThomasWaldmann]

this does not seem to match params seen in 265.

[ThomasWaldmann]

guess this can succeed because you are force-weakening the params in the tests even if the stored params disagree.

[ThomasWaldmann]

but here the weakened params are stored in the key also, so this is not consistent procedure with the above.

[hexagonrecursion]

Good catch!

[ThomasWaldmann]

can you check this test again? it somehow unclear what it is doing / what it is checking. Also the comment is not very clear as it refers to functions you are not calling (directly).

[hexagonrecursion]

@ThomasWaldmann I have addressed your comments.

[ThomasWaldmann]

Thanks, merged!