Add EncryptionMode enum and integrate index key derivation

2025-09-10 00:09:04 +00:00 · 2025-07-01 11:01:22 -04:00
parent 32b0e42185
commit f49daca4df
4 changed files with 84 additions and 8 deletions
--- a/src/utils/init.py
+++ b/src/utils/init.py
@@ -5,7 +5,13 @@ import traceback

 try:
    from .file_lock import exclusive_lock, shared_lock
-    from .key_derivation import derive_key_from_password, derive_key_from_parent_seed
+    from .key_derivation import (
+        derive_key_from_password,
+        derive_key_from_parent_seed,
+        derive_index_key,
+        EncryptionMode,
+        DEFAULT_ENCRYPTION_MODE,
+    )
    from .checksum import calculate_checksum, verify_checksum
    from .password_prompt import prompt_for_password

@@ -17,6 +23,9 @@ except Exception as e:
 __all__ = [
    "derive_key_from_password",
    "derive_key_from_parent_seed",
+    "derive_index_key",
+    "EncryptionMode",
+    "DEFAULT_ENCRYPTION_MODE",
    "calculate_checksum",
    "verify_checksum",
    "exclusive_lock",
--- a/src/utils/key_derivation.py
+++ b/src/utils/key_derivation.py
@@ -20,7 +20,8 @@ import base64
 import unicodedata
 import logging
 import traceback
-from typing import Union
+from enum import Enum
+from typing import Optional, Union
 from bip_utils import Bip39SeedGenerator
 from local_bip85.bip85 import BIP85

@@ -36,6 +37,17 @@ from cryptography.hazmat.backends import default_backend
 logger = logging.getLogger(__name__)


+class EncryptionMode(Enum):
+    """Supported key derivation modes for database encryption."""
+
+    SEED_ONLY = "seed-only"
+    SEED_PLUS_PW = "seed+pw"
+    PW_ONLY = "pw-only"
+
+
+DEFAULT_ENCRYPTION_MODE = EncryptionMode.SEED_ONLY
+
+
 def derive_key_from_password(password: str, iterations: int = 100_000) -> bytes:
    """
    Derives a Fernet-compatible encryption key from the provided password using PBKDF2-HMAC-SHA256.
@@ -196,3 +208,22 @@ def derive_index_key_seed_plus_pw(seed: str, password: str) -> bytes:
    )
    key = hkdf.derive(seed_bytes + b"|" + pw_bytes)
    return base64.urlsafe_b64encode(key)
+
+
+def derive_index_key(
+    seed: str,
+    password: Optional[str] = None,
+    mode: EncryptionMode = DEFAULT_ENCRYPTION_MODE,
+) -> bytes:
+    """Derive the index encryption key based on the selected mode."""
+    if mode == EncryptionMode.SEED_ONLY:
+        return derive_index_key_seed_only(seed)
+    if mode == EncryptionMode.SEED_PLUS_PW:
+        if password is None:
+            raise ValueError("Password required for seed+pw mode")
+        return derive_index_key_seed_plus_pw(seed, password)
+    if mode == EncryptionMode.PW_ONLY:
+        if password is None:
+            raise ValueError("Password required for pw-only mode")
+        return derive_key_from_password(password)
+    raise ValueError(f"Unsupported encryption mode: {mode}")