|
|
@ -57,8 +57,9 @@ clients will try to use the default key to decrypt secrets.
|
|
|
|
Clients MUST ensure that the key is trusted before using it to encrypt secrets.
|
|
|
|
Clients MUST ensure that the key is trusted before using it to encrypt secrets.
|
|
|
|
One way to do that is to have the client that creates the key sign the key
|
|
|
|
One way to do that is to have the client that creates the key sign the key
|
|
|
|
description (as signed JSON) using the user's master cross-signing key.
|
|
|
|
description (as signed JSON) using the user's master cross-signing key.
|
|
|
|
Another way to do that is to prompt the user to enter the passphrase and ensure
|
|
|
|
Another way to do that is to prompt the user to enter the passphrase used to
|
|
|
|
that the generated private key correponds to the public key.
|
|
|
|
generate the encryption key and ensure that the generated private key
|
|
|
|
|
|
|
|
corresponds to the public key.
|
|
|
|
|
|
|
|
|
|
|
|
#### Secret storage
|
|
|
|
#### Secret storage
|
|
|
|
|
|
|
|
|
|
|
@ -79,6 +80,8 @@ Example:
|
|
|
|
|
|
|
|
|
|
|
|
Some secret is encrypted using keys with ID `key_id_1` and `key_id_2`:
|
|
|
|
Some secret is encrypted using keys with ID `key_id_1` and `key_id_2`:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
`org.example.some.secret`:
|
|
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
```json
|
|
|
|
{
|
|
|
|
{
|
|
|
|
"encrypted": {
|
|
|
|
"encrypted": {
|
|
|
@ -95,6 +98,28 @@ Some secret is encrypted using keys with ID `key_id_1` and `key_id_2`:
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
and the key descriptions for the keys would be:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
`m.secret_storage.key.key_id_1`:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
"name": "Some key",
|
|
|
|
|
|
|
|
"algorithm": "m.secret_storage.v1.curve25519-aes-sha2",
|
|
|
|
|
|
|
|
// ... other properties according to algorithm
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
`m.secret_storage.key.key_id_2`:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
"name": "Some other key",
|
|
|
|
|
|
|
|
"algorithm": "m.secret_storage.v1.curve25519-aes-sha2",
|
|
|
|
|
|
|
|
// ... other properties according to algorithm
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
#### Encryption algorithms
|
|
|
|
#### Encryption algorithms
|
|
|
|
|
|
|
|
|
|
|
|
##### `m.secret_storage.v1.curve25519-aes-sha2`
|
|
|
|
##### `m.secret_storage.v1.curve25519-aes-sha2`
|
|
|
|