Skip to main content
Version: 3.x

Symmetric Secure Data Encrypt

In the following section, you will see a diagram of the cryptographic operations performed when calling the method symmetricSecureDataEncrypt

This method securely encrypts input data by first generating a random 32-byte Data Encryption Key (DEK) using a cryptographically secure method. It then encrypts the data using AES-256-GCM with the DEK, producing an output that includes the initialization vector (IV), salt, authentication tag, and ciphertext. After encrypting the data, the method also encrypts the DEK itself using a master key, and finally, it concatenates the encrypted DEK and the encrypted data, returning the complete encrypted result for secure storage or transmission.

Diagram

Explanation of the Diagram

  1. Generate DEK:
    • The createSafeRandomData method generates a 32-byte DEK (Data Encryption Key) using HKDF(sha3-256 + random_key + random_salt).
  2. Encrypt the Input Data:
    • Generate IV (12 bytes): A 12-byte IV is generated using HKDF(sha3-256 + random_key + random_salt).
    • Generate Salt (64 bytes): A 64-byte salt is generated, also using HKDF(sha3-256 + random_key + random_salt).
    • Derive Secure Encryption Key: A secure encryption key is derived using Argon2 with the DEK and salt.
    • Encrypt Data: The input data is encrypted using AES-256-GCM with the derived secure encryption key, producing the encrypted result: IV + Salt + AuthTag + CipherText.
  3. Encrypt the DEK:
    • The DEK itself is encrypted using the master key:
      • Generate IV (12 bytes): A 12-byte IV is generated using HKDF(sha3-256 + random_key + random_salt).
      • Generate Salt (64 bytes): A 64-byte salt is generated, also using HKDF(sha3-256 + random_key + random_salt).
      • Derive Master Key: A secure encryption key is derived using Argon2 with the MasterKey and salt.
      • Encrypt DEK: The DEK is encrypted using AES-256-GCM, resulting in the encrypted DEK: IV + Salt + AuthTag + CipherText.
  4. Concatenate and Return:
    • The encrypted DEK and the encrypted input data are concatenated to form the final output, which is then returned.