Symmetric Secure Data Encrypt
In the following section, you will see a diagram of the cryptographic operations performed when calling the method symmetricSecureDataEncrypt
This method securely encrypts input data by first generating a random 32-byte Data Encryption Key (DEK) using a cryptographically secure method. It then encrypts the data using AES-256-GCM with the DEK, producing an output that includes the initialization vector (IV), salt, authentication tag, and ciphertext. After encrypting the data, the method also encrypts the DEK itself using a master key, and finally, it concatenates the encrypted DEK and the encrypted data, returning the complete encrypted result for secure storage or transmission.
Diagram
Explanation of the Diagram
- Generate DEK:
- The
createSafeRandomData
method generates a 32-byte DEK (Data Encryption Key) usingHKDF(sha3-256 + random_key + random_salt)
.
- The
- Encrypt the Input Data:
- Generate IV (12 bytes): A 12-byte IV is generated using
HKDF(sha3-256 + random_key + random_salt)
. - Generate Salt (64 bytes): A 64-byte salt is generated, also using
HKDF(sha3-256 + random_key + random_salt)
. - Derive Secure Encryption Key: A secure encryption key is derived using Argon2 with the DEK and salt.
- Encrypt Data: The input data is encrypted using AES-256-GCM with the derived secure encryption key, producing the encrypted result: IV + Salt + AuthTag + CipherText.
- Generate IV (12 bytes): A 12-byte IV is generated using
- Encrypt the DEK:
- The DEK itself is encrypted using the master key:
- Generate IV (12 bytes): A 12-byte IV is generated using
HKDF(sha3-256 + random_key + random_salt)
. - Generate Salt (64 bytes): A 64-byte salt is generated, also using
HKDF(sha3-256 + random_key + random_salt)
. - Derive Master Key: A secure encryption key is derived using Argon2 with the MasterKey and salt.
- Encrypt DEK: The DEK is encrypted using AES-256-GCM, resulting in the encrypted DEK: IV + Salt + AuthTag + CipherText.
- Generate IV (12 bytes): A 12-byte IV is generated using
- The DEK itself is encrypted using the master key:
- Concatenate and Return:
- The encrypted DEK and the encrypted input data are concatenated to form the final output, which is then returned.