-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passing encryption key via a callback #1636
Open
nhachicha
wants to merge
11
commits into
main
Choose a base branch
from
nh/encryption_key_as_callback
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from 1 commit
Commits
Show all changes
11 commits
Select commit
Hold shift + click to select a range
1adb381
Adding EncryptionKeyCallback to pass in the AES key via a native memo…
nhachicha c52776e
- PR feedback
nhachicha 44549fe
Added experimental API
nhachicha d69884c
Fixing test on JVM
nhachicha cc38c24
Update packages/library-base/src/commonMain/kotlin/io/realm/kotlin/Co…
nhachicha 2946b8d
Update packages/test-base/src/androidMain/cpp/CMakeLists.txt
nhachicha 3accfe9
Update packages/test-base/src/androidMain/cpp/android_jni_helper.cpp
nhachicha 59aac57
PR feedback
nhachicha 5e61217
Update packages/library-base/src/commonMain/kotlin/io/realm/kotlin/Co…
nhachicha 4ca311a
Updating the Core branch (to the one using Windows kernel encryption …
nhachicha 09209b7
bump core
nhachicha File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -106,6 +106,18 @@ public data class InitialRealmFileConfiguration( | |
val checksum: String? | ||
) | ||
|
||
public interface EncryptionKeyCallback { | ||
/** | ||
* Provides the native memory address of the 64 byte array containing the key used to encrypt and decrypt the Realm file. | ||
*/ | ||
public fun keyPointer(): Long | ||
|
||
/** | ||
* This callback will be invoked by Realm after it's open. This hint to the user that the key provided in [keyPointer] can now be released. | ||
*/ | ||
public fun releaseKey() | ||
} | ||
|
||
/** | ||
* Base configuration options shared between all realm configuration types. | ||
*/ | ||
|
@@ -153,6 +165,13 @@ public interface Configuration { | |
*/ | ||
public val encryptionKey: ByteArray? | ||
|
||
/** | ||
* Native memory address of the 64 byte array containing the key used to encrypt and decrypt the Realm file. | ||
* | ||
* @return null on unencrypted Realms. | ||
*/ | ||
public val encryptionKeyAsCallback: EncryptionKeyCallback? | ||
|
||
/** | ||
* Callback that determines if the realm file should be compacted as part of opening it. | ||
* | ||
|
@@ -234,6 +253,7 @@ public interface Configuration { | |
protected var writeDispatcher: CoroutineDispatcher? = null | ||
protected var schemaVersion: Long = 0 | ||
protected var encryptionKey: ByteArray? = null | ||
protected var encryptionKeyAsCallback: EncryptionKeyCallback? = null | ||
protected var compactOnLaunchCallback: CompactOnLaunchCallback? = null | ||
protected var initialDataCallback: InitialDataCallback? = null | ||
protected var inMemory: Boolean = false | ||
|
@@ -354,6 +374,51 @@ public interface Configuration { | |
public fun encryptionKey(encryptionKey: ByteArray): S = | ||
apply { this.encryptionKey = validateEncryptionKey(encryptionKey) } as S | ||
|
||
/** | ||
* Similar to [encryptionKey] but instead this will read the encryption key from native memory. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Great explanation 💯 |
||
* This can enhance the security of the app, since it reduces the window where the key is available in clear | ||
* in memory (avoid memory dump attack). Once the Realm is open, one can zero-out the memory region holding the key | ||
* as it will be already passed to the C++ storage engine. | ||
* | ||
* There's also extra protection for JVM Windows target, where the underlying storage engine uses the Windows Kernel | ||
* to encrypt/decrypt the Realm's encryption key before each usage. | ||
* | ||
* | ||
nhachicha marked this conversation as resolved.
Show resolved
Hide resolved
|
||
* Note: The RealmConfiguration doesn't take ownership of this native memory, the caller is responsible of disposing it | ||
* appropriately after the Realm is open using the [EncryptionKeyCallback.releaseKey]. | ||
* | ||
* @param encryptionKeyAsCallback Callback providing address/pointer to a 64-byte array containing the AES encryption key. | ||
* This array should be in native memory to avoid copying the key into garbage collected heap memory (for JVM targets). | ||
* | ||
* One way to create such an array in JVM is to use JNI or use `sun.misc.Unsafe` as follow: | ||
* | ||
*``` | ||
* import sun.misc.Unsafe | ||
* | ||
* val field = Unsafe::class.java.getDeclaredField("theUnsafe") | ||
* field.isAccessible = true | ||
* val unsafe: Unsafe = field.get(null) as Unsafe | ||
* | ||
* val key = Random.nextBytes(64) // Replace with your actual AES key | ||
* val keyPointer: Long = unsafe.allocateMemory(key.size.toLong()) | ||
* for (i in key.indices) { // Write the key bytes to native memory | ||
* unsafe.putByte(keyPointer + i, key[i]) | ||
* } | ||
* | ||
* val encryptedConf = RealmConfiguration | ||
* .Builder(schema = setOf(Sample::class)) | ||
* .encryptionKey(object : EncryptionKeyCallback { | ||
* override fun keyPointer() = keyPointer | ||
* override fun releaseKey() = unsafe.freeMemory(keyPointer) | ||
* }) | ||
* .build() | ||
* | ||
* val realm = Realm.open(encryptedConf) | ||
*``` | ||
*/ | ||
public fun encryptionKey(encryptionKeyAsCallback: EncryptionKeyCallback): S = | ||
apply { this.encryptionKeyAsCallback = encryptionKeyAsCallback } as S | ||
|
||
/** | ||
* Sets a callback for controlling whether the realm should be compacted when opened. | ||
* | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would also document that this can be called multiple times and that release is only called once, so they do not accidentially create a new Pointer for every call to this, but only release it once.
This was also why I thought it might make a better API if this was an symmetric API, i.e. called 3 times, and released 3 times, but I do agree that the current behavior is easier to implement for the sake of an POC.