Re: [Haskell-cafe] Encrypting streamed data

If your data fits in RAM maybe it's best to forget about the streaming and use the saltine library's Box module. Then you can't really go wrong on the crypto front. On Jul 6, 2017 09:41, "Ivan Lazar Miljenovic" wrote:

On 6 July 2017 at 17:23, David Turner wrote:

...

Apologies, just seen the bit about wanting to pass the key in directly rather than using the GPG keyring because there are no email addresses attached to your various keys.

Maybe a silly question, but can you give them email addresses to identify them in a GPG-compatible manner? They don't have to have associated mailboxes so the addresses can be totally made-up.

Yes, that's my fallback, since it's possible to tell gpg to use a different directory so I can provide a key externally with my transmission request, load it into a temporary store, grab the identity out and use that. It would just be more convenient to have a "here's a ByteString with the public key" option (which I can always implement as a wrapper function).

...

If not, I'd probably start to look to something like openssl to do the symmetric encryption and manage the keys for that separately. It looks possible to build a streaming AES implementation using the nonstreaming functions in `cryptonite`, but the usual recommendation is that its far

...

risky to do any low-level crypto yourself so this seems like a bad idea.

On 6 Jul 2017 07:40, "David Turner" wrote:

...

Hi,

I do not know of a library to do this, sorry. Note that the way

too public-key

...

...

crypto works in a streaming fashion is typically to use the public-key bit only to encrypt a key for a symmetric cipher and then use the (much-faster) symmetric encryption for the actual data. The symmetric bit could well be something like AES256-CBC or AES256-CTR.

This means that the format of the resulting data is a bit implementation-defined as it has to include the asymetrically-encrypted data first, followed by the stream of symmetrically-encrypted data. GnuPG includes quite a bit of metadata in its files that describes the algorithms used and delimits the pieces, so if you want the resulting files to be GnuPG-compatible you'll need to take this into account.

If it were me, I'd probably just shell out to `gpg`. It's fast and low-risk.

Hope that helps,

David

On 6 Jul 2017 05:59, "Ivan Lazar Miljenovic"

...

wrote:

I have a use case for needing to use public key cryptography to encrypt a large amount of data in a streaming fashion (get it out of a DB, encrypt, put into an AWS S3 bucket).

The command-line gpg tool seems to be able to encrypt/decrypt data from stdin to stdout in a streaming fashion, but in my attempts to use it it seems very file-based for things like the keys to use (whereas I would prefer to be able to pass the public key as an actual value rather than a file; if nothing else because this is for tools that don't have email addresses to use and base their keys on for addressing).

Is there an existing library that can achieve this using conduit/pipes/whatever? cryptonite-conduit only covers hashing, hOpenPGP is poorly documented and I can't work out how to use it ("just follow the types" is difficult when Haddock docs don't link to the required types (seems to be because it uses the "import Module as X" trick for re-exporting everything but then everything from those modules isn't available).

Can anyone recommend a solution?

-- Ivan Lazar Miljenovic Ivan.Miljenovic@gmail.com http://IvanMiljenovic.wordpress.com _______________________________________________ Haskell-Cafe mailing list To (un)subscribe, modify options or view archives go to: http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe Only members subscribed via the mailman list are allowed to post.

-- Ivan Lazar Miljenovic Ivan.Miljenovic@gmail.com http://IvanMiljenovic.wordpress.com _______________________________________________ Haskell-Cafe mailing list To (un)subscribe, modify options or view archives go to: http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe Only members subscribed via the mailman list are allowed to post.