---
title: "Encryption Keys"
output: rmarkdown::html_vignette
vignette: >
  %\VignetteIndexEntry{Encryption Keys}
  %\VignetteEngine{knitr::rmarkdown}
  %\VignetteEncoding{UTF-8}
---

```{r, include = FALSE}
knitr::opts_chunk$set(
  collapse = FALSE,
  comment = "#>"
)
```

```{r setup}
library(rmonocypher)
```

## Encryption Keys

An encryption key is the core secret data used to encrypt/decrypt an object.

Without knowing the encryption key, it is not possible to decrypt the data.

It is important to save this key securely.

Encryption keys must be 32 bytes of difficult to guess values, and the 
`{rmonocypher}` package has a number of ways of making keys easy to handle.

The `key` for encryption may be one of:

* A password
* A 32-byte raw vector
* A 64-character hexadecimal string


## Use a *password* as the key

When using `encrypt(..., key = ...)`, the key may simply be given as a *password*.
This password may be any text (including spaces and special characters).

Internally, this password will be processed into a full 32-byte encryption key
using **Argon2 password-based key derivation** (see below).

## Generate a key using Argon2 Key Derivation Function

An encryption `key` may be generated by a password prior to the call to `encrypt()`.

The `argon2()` function implements [Argon2 password-based key derivation](https://en.wikipedia.org/wiki/Argon2).
This is a resource intensive password-based key derivation scheme (i.e. requires lots 
of CPU and RAM to run) which is difficult to brute-force.

For applications requiring more paranoia, it is recommended that an 
explicit `salt` be used.  Don't forget to save the `salt` as well, because
without it you will not be able to generate the same encryption key.

```{r}
# When no salt is provided, a salt will be 
# derived internally from the password. 
argon2("my secret")
# Use another password as the salt
argon2("my secret", salt = "salt and vinegar")
# Use a 32-character hexadecimal string as the salt
argon2("my secret", salt = "cefca6aafae5bdbc15977fd56ea7f1eb")
# Use 'rbyte()' to source 16 random bytes for the salt
salt <- rbyte(16)
argon2("my secret", salt = salt)
```


## Use raw bytes as the key

The `key` may also be a raw vector containing 32 bytes.  

If using random bytes for the `key`, it is important that they be generated from a 
cryptographically secure source e.g. `rbyte()`.

Be sure to save this key, as it will not be possible to generate this 
exact same random sequence again.

```{r}
key <- rbyte(32, type = 'raw')
key
```

## Use hexadecimal string as a key

The `key` may be given as a 64-character hexadecimal string.

If this key is generated using `rbyte()`, be sure to save this key as it 
will not be possible to generate this exact same random sequence again.

```{r}
key <- rbyte(32, type = 'chr')
key
```