Functional flow overview

Glossary

• Encrypt(data, key)/Decrypt(data, key) - encrypts/decrypts data with the encryption key key using an authenticated encryption algorithm. It's normally used to encrypt/decrypt private sections in keys, as well as chunks and snapshots.

• Hash(data) - computes the hash digest of data using a hashing algorithm. It's used to check integrity of data and to derive encryption keys for chunks and snapshots.

• Mac(data, key) - computes the message authentication code for data using suitable key and a MAC algorithm. It's mainly used to verify ownership of chunks.

• SlowKdf(ikm, salt[, context])/FastKdf(ikm, salt[, context]) - calls a "slow"/"fast" key derivation function to obtain an encryption key from ikm using salt and an optional context. As a general rule, replicat uses "slow" KDF for low-entropy inputs and "fast" KDF for high-entropy inputs. The output length will match the encryption key length of the chosen encryption algorithm.

• UserKey - encryption key derived as SlowKdf(Password, UserKdfParams), where Password is the user's password and UserKdfParams is the salt. UserKey is used to encrypt sensitive personal data: private sections in keys and file metadata in snapshots.

• SharedKey, SharedKdfParams, SharedMacKey, SharedChunkerKey - secrets stored in the private sections of keys. SharedKey and SharedKdfParams are used to derive encryption keys using "fast" KDF (they will encrypt shared data, like chunks and chunk references). SharedMacKey is the MAC key. SharedChunkerKey personalises content-defined chunking (CDC) to prevent watermarking attacks.

• GetChunkLocation(name, authentication_tag)/GetSnapshotLocation(name, authentication_tag) - obtains the location for a chunk/snapshot using its name and the corresponding authentication tag.

• Upload(data, location) - uploads data to the backend to the given location.

• Download(location) - downloads data from the backend at the given location.