ente/migration-guides/encrypted_export.md
2023-08-03 16:31:41 +05:30

1.7 KiB

Auth Encrypted Export format

Overview

When we export the auth codes, the data is encrypted using a key derived from the user's password. This document describes the JSON structure used to organize exported data, including versioning and key derivation parameters.

Export JSON Sample

{
  "version": 1,
  "kdfParams": {
    "memLimit": 4096,
    "opsLimit": 3,
    "salt": "example_salt"
  },
  "encryptedData": "encrypted_data_here",
  "encryptionNonce": "nonce_here"
}

The main object used to represent the export data. It contains the following key-value pairs:

  • version: The version of the export format.
  • kdfParams: Key derivation function parameters.
  • encryptedData": The encrypted authentication data.
  • encryptionNonce: The nonce used for encryption.

Version

Export version is used to identify the format of the export data.

Ver: 1

  • KDF Algorithm: ARGON2ID
  • Decrypted data format: otpauth://totp/..., separated by a new line.
  • Encryption Algo: XChaCha20-Poly1305

Key Derivation Function Params (KDF)

This section contains the parameters that were using during KDF operation:

  • memLimit: Memory limit for the algorithm.
  • opsLimit: Operations limit for the algorithm.
  • salt: The salt used in the derivation process.

Encrypted Data

As mentioned above, the auth data is encrypted using a key that's derived by using user provided password & kdf params. For encryption, we are using XChaCha20-Poly1305 algorithm.

How to use the export data

  • ente Authenticator app: You can directly import the codes in the ente Authenticator app.

    Settings -> Data -> Import Codes -> ente Encrypted export.