Encryption format

base format all encryption performed by jumpwire encodes data using the following format length field 1 byte label encoding type 1 byte label length labels 1 byte key tag encoding type 1 byte key tag length key tag ciphertext labels are joined with the string | before encoding the ciphertext may include additional metadata, depending on the algorithm used the key tag indicates both the encryption algorithm and the specific key used the key is identified by an md5 fingerprint for example, a tag of aes gcm v1 97fad3230c7bca8cc37515c3de12e509 would indicate that the key 97fad3230c7bca8cc37515c3de12e509 was used to encrypt the data with aes gcm finally, the resulting binary blob is base64 encoded and prefixed with the identifier jumpwire aes ciphertexts several different modes are supported when encrypting with aes aes gcm aes gcm with a 256 bit key is used by default when encrypting data in flight in jumpwire gcm mode uses a randomly generated 16 byte iv the iv is prepended to the encrypted ciphertext before encoding the tag and labels the ciphertext field in the base encryption format for aes gcm contains the following length field 16 bytes iv 16 bytes auth tag ciphertext aes cbc aes cbc with a 256 bit key is used when configuring postgresql or mysql to encrypt data automatically on inserts and updates like aes gcm, a 16 byte iv is randomly generated for each encryption operation the plaintext is padded to a block size of 16 bytes using pkcs#7 and the iv is prepended to the ciphertext before encoding tags and labels the ciphertext field in the base encryption format for aes cbc contains the following length field 16 bytes iv ciphertext aes ecb aes ecb with a 128 bit key is used when configuring mariadb to encrypt data automatically on inserts and updates mariadb does not support any other modes the plaintext is padded to a block size of 16 bytes using pkcs#7 with aes ecb, no iv is used so repeating encrypting with the same key and plaintext will generate identical ciphertexts the ciphertext field in the base encryption format for aes ecb does not contain any additional metadata aws kms when using aws kms as the source of truth for encryption keys, there is some additional metadata encoded with each encryption operation a data key is generated on startup from a master kms key and cached in jumpwire (more details on this are available in the encryption key stores docid\ mecpg4w2vbw1pgne rhci article) the data key, encrypted with the master kms key, is prepended to the aes encrypted ciphertext this allows for keys to be decrypted on a cold start without any risk of data loss the format for kms encrypted data is below the encoded ciphertext in this format encompasses all of the metadata used by an aes encryption this is the output of the base format outlined above length field 1 byte kms key tag encoding type 1 byte kms key tag length kms key tag 1 byte kms key id encoding type 1 byte kms key id length kms key id 1 byte data key encoding type 1 byte data key length data key (encrypted with kms key) encoded ciphertext (see base format above)