FileSource >> FileSink - AES encryption - trunc mode problem

[Richard Závodný]

Hi, I have problem.

I want/need encrypt file and put the encrypted data into the same one (not create new file).

For example...
I have unencrypted file (myfile.txt) and I want encrypt it, but don't create new file (let's say myfile.encrypted), but I want the encrypted data put into the same file (myfile.txt). If I use this: CryptoPP::FileSource encryptFile("myfile.txt", true, new CryptoPP::StreamTransformationFilter(cbcEncryptor, new CryptoPP::FileSink("myfile.txt")));, the FileSink will open the output file (myfile.txt) in trunc mode (delete all previous data), but that is the problem. The FileSource read files by 4096bytes chunk, so I need load chunk -> encrypt -> replace unencrypted chunk with encrypted one -> repeat.

[Jeffrey Walton]

The Source/Sink model is not really equipped for the requirement. Pipelines can move forward when processing messages; they cannot move backwards or backtrack. Or put another way, its not possible to Seek(...) backwards when processing messages.

You may be able to do it by mapping a view of the file. When you map a view of the file you get a pointer back that looks like a regular pointer, but its really a view of the file mapped by the OS. With pointers in hand, you can then use Sources/Sinks around those pointers.

In the bigger security engineering picture, you probably don't want the plain text file to be stored on the disk. Some drives are notoriously difficult to [keep] clean, and its next to impossible to clean the plain text once its written to storage. Most SSDs with write leveling fall into this category. Also see Reliably Erasing Data From Flash-Based Solid State Drives, https://www.usenix.org/legacy/event/fast11/tech/full_papers/Wei.pdf

Jeff