zephyrfs/zephyrfs-cli / ca79610

+# ZephyrFS node dependency for crypto

+zephyrfs-node = { path = "../zephyrfs-node" }

+

+use clap::Args;

+use anyhow::{Context, Result};

+use dialoguer::{theme::ColorfulTheme, Password};

+use indicatif::{ProgressBar, ProgressStyle};

+use std::path::PathBuf;

+use tracing::info;

+use humansize::{format_size, BINARY};

+

+use crate::config::Config;

+use super::Command;

+

+#[derive(Debug, Args)]

+pub struct DecryptCommand {

+    /// Encrypted file to decrypt

+    input: PathBuf,

+

+    /// Output file path (defaults to original filename)

+    #[arg(short, long)]

+    output: Option<PathBuf>,

+

+    /// Password for decryption (will prompt if not provided)

+    #[arg(short, long)]

+    password: Option<String>,

+

+    /// Show progress bar

+    #[arg(long, default_value = "true")]

+    progress: bool,

+

+    /// Skip content verification

+    #[arg(long)]

+    skip_verify: bool,

+

+    /// Force overwrite of existing output file

+    #[arg(long)]

+    force: bool,

+}

+

+#[async_trait::async_trait]

+impl Command for DecryptCommand {

+    async fn execute(&self, _config: &Config) -> Result<()> {

+        info!("Decrypting file: {:?}", self.input);

+

+        // Validate input file

+        if !self.input.exists() {

+            anyhow::bail!("File does not exist: {:?}", self.input);

+        }

+

+        if !self.input.is_file() {

+            anyhow::bail!("Path is not a file: {:?}", self.input);

+        }

+

+        // Read and parse encrypted file

+        let encrypted_data = tokio::fs::read(&self.input).await

+            .with_context(|| format!("Failed to read encrypted file: {:?}", self.input))?;

+

+        let encrypted_file: EncryptedFileFormat = serde_json::from_slice(&encrypted_data)

+            .context("Failed to parse encrypted file format. This may not be a valid ZephyrFS encrypted file.")?;

+

+        // Validate file format version

+        if encrypted_file.version != 1 {

+            anyhow::bail!("Unsupported encrypted file version: {}. This CLI supports version 1.", encrypted_file.version);

+        }

+

+        // Determine output path

+        let output_path = self.output.clone().unwrap_or_else(|| {

+            // Try to restore original filename

+            if encrypted_file.filename != "unknown" {

+                PathBuf::from(&encrypted_file.filename)

+            } else {

+                // Strip .zfs extension if present

+                let mut output = self.input.clone();

+                if let Some(stem) = output.file_stem().map(|s| s.to_os_string()) {

+                    output.set_file_name(stem);

+                } else {

+                    output.set_extension("decrypted");

+                }

+                output

+            }

+        });

+

+        // Check if output exists

+        if output_path.exists() && !self.force {

+            anyhow::bail!("Output file already exists: {:?}. Use --force to overwrite.", output_path);

+        }

+

+        println!("Decrypting: {}", encrypted_file.filename);

+        println!("  Original size: {}", format_size(encrypted_file.original_size, BINARY));

+        println!("  Segments: {}", encrypted_file.encrypted_segments.len());

+        println!("  Created: {}", encrypted_file.created_at.format("%Y-%m-%d %H:%M:%S UTC"));

+        println!("  Output: {:?}", output_path);

+

+        // Get password

+        let password = if let Some(ref pw) = self.password {

+            pw.clone()

+        } else {

+            let theme = ColorfulTheme::default();

+            Password::with_theme(&theme)

+                .with_prompt("Enter password for decryption")

+                .interact()

+                .context("Failed to read password")?

+        };

+

+        // Create progress bar

+        let progress = if self.progress {

+            let pb = ProgressBar::new(encrypted_file.original_size);

+            pb.set_style(

+                ProgressStyle::default_bar()

+                    .template("[{elapsed_precise}] {bar:40.cyan/blue} {percent}% {bytes}/{total_bytes} ETA: {eta}")

+                    .unwrap()

+                    .progress_chars("##-")

+            );

+            Some(pb)

+        } else {

+            None

+        };

+

+        // Initialize crypto system

+        let crypto = create_crypto_system(&password, encrypted_file.chunk_size_mb)?;

+

+        // Convert segments back to internal format

+        let encrypted_segments: Vec<zephyrfs_node::crypto::EncryptedData> = encrypted_file.encrypted_segments

+            .into_iter()

+            .map(|s| s.into())

+            .collect();

+

+        // Decrypt file

+        let decrypted_data = crypto.decrypt_file(&encrypted_segments)

+            .context("Failed to decrypt file. Check your password and try again.")?;

+

+        // Verify content integrity if requested

+        if !self.skip_verify {

+            println!("Verifying content integrity...");

+            let computed_content_id = crypto.content_id(&decrypted_data);

+            let expected_content_id = zephyrfs_node::crypto::ContentId::from_hex(

+                zephyrfs_node::crypto::HashAlgorithm::Blake3,

+                &encrypted_file.content_id

+            ).context("Invalid content ID in encrypted file")?;

+

+            if !crypto.verify_content(&decrypted_data, &expected_content_id) {

+                anyhow::bail!("Content verification failed! The decrypted file may be corrupted.");

+            }

+            println!("✅ Content integrity verified");

+        }

+

+        // Verify size matches

+        if decrypted_data.len() as u64 != encrypted_file.original_size {

+            anyhow::bail!("Size mismatch: expected {} bytes, got {} bytes", 

+                         encrypted_file.original_size, 

+                         decrypted_data.len());

+        }

+

+        // Write decrypted file

+        tokio::fs::write(&output_path, &decrypted_data).await

+            .with_context(|| format!("Failed to write decrypted file: {:?}", output_path))?;

+

+        if let Some(pb) = progress {

+            pb.finish_with_message("Decryption complete");

+        }

+

+        println!("✅ File decrypted successfully!");

+        println!("  Restored file: {:?}", output_path);

+        println!("  Size: {}", format_size(decrypted_data.len() as u64, BINARY));

+        

+        // Security cleanup note

+        println!();

+        println!("🔒 Security Notes:");

+        println!("  • The original encrypted file is unchanged");

+        println!("  • Consider securely deleting the encrypted file if no longer needed");

+

+        Ok(())

+    }

+}

+

+// Encrypted file format for storage (must match encrypt.rs)

+#[derive(Debug, serde::Serialize, serde::Deserialize)]

+struct EncryptedFileFormat {

+    version: u32,

+    filename: String,

+    original_size: u64,

+    chunk_size_mb: u32,

+    content_id: String,

+    hash_algorithm: String,

+    encrypted_segments: Vec<EncryptedSegment>,

+    created_at: chrono::DateTime<chrono::Utc>,

+}

+

+#[derive(Debug, serde::Serialize, serde::Deserialize)]

+struct EncryptedSegment {

+    segment_index: u64,

+    ciphertext: Vec<u8>,

+    nonce: [u8; 12],

+    aad: Vec<u8>,

+    key_path: Vec<u32>,

+}

+

+// Helper function to create crypto system (must match encrypt.rs)

+fn create_crypto_system(password: &str, chunk_size_mb: u32) -> Result<ZephyrCrypto> {

+    use zephyrfs_node::crypto::{ZephyrCrypto, CryptoParams, ScryptParams, AesParams, HashParams, ContentHasher, VerificationHasher};

+    

+    // Create crypto parameters (must match encryption parameters)

+    let params = CryptoParams {

+        scrypt_params: ScryptParams {

+            log_n: 17,          // Strong security

+            r: 8,

+            p: 1,

+            output_len: 64,

+        },

+        aes_params: AesParams {

+            key_len: 32,

+            nonce_len: 12,

+            tag_len: 16,

+        },

+        hash_params: HashParams {

+            content_hasher: ContentHasher::Blake3,

+            verification_hasher: VerificationHasher::Blake3,

+        },

+    };

+

+    let mut crypto = ZephyrCrypto::with_params(params);

+    crypto.init_from_password(password)

+        .context("Failed to initialize crypto system with password")?;

+

+    Ok(crypto)

+}

+

+// Convert between CLI types and zephyrfs_node types

+impl From<EncryptedSegment> for zephyrfs_node::crypto::EncryptedData {

+    fn from(segment: EncryptedSegment) -> Self {

+        Self {

+            segment_index: segment.segment_index,

+            ciphertext: segment.ciphertext,

+            nonce: segment.nonce,

+            aad: segment.aad,

+            key_path: segment.key_path,

+        }

+    }

+}

+

+// Import necessary items from zephyrfs_node

+use zephyrfs_node::crypto::ZephyrCrypto;

+use clap::Args;

+use anyhow::{Context, Result};

+use dialoguer::{theme::ColorfulTheme, Password};

+use indicatif::{ProgressBar, ProgressStyle};

+use std::path::PathBuf;

+use tracing::info;

+use humansize::{format_size, BINARY};

+

+use crate::config::Config;

+use super::Command;

+

+#[derive(Debug, Args)]

+pub struct EncryptCommand {

+    /// File to encrypt

+    input: PathBuf,

+

+    /// Output file path (defaults to input.zfs)

+    #[arg(short, long)]

+    output: Option<PathBuf>,

+

+    /// Password for encryption (will prompt if not provided)

+    #[arg(short, long)]

+    password: Option<String>,

+

+    /// Show progress bar

+    #[arg(long, default_value = "true")]

+    progress: bool,

+

+    /// Verification hash algorithm (blake3, sha256, both)

+    #[arg(long, default_value = "both")]

+    hash: String,

+

+    /// Chunk size in MB for large files

+    #[arg(long, default_value = "1")]

+    chunk_size: u32,

+}

+

+#[async_trait::async_trait]

+impl Command for EncryptCommand {

+    async fn execute(&self, _config: &Config) -> Result<()> {

+        info!("Encrypting file: {:?}", self.input);

+

+        // Validate input file

+        if !self.input.exists() {

+            anyhow::bail!("File does not exist: {:?}", self.input);

+        }

+

+        if !self.input.is_file() {

+            anyhow::bail!("Path is not a file: {:?}", self.input);

+        }

+

+        let metadata = tokio::fs::metadata(&self.input).await

+            .with_context(|| format!("Failed to read file metadata: {:?}", self.input))?;

+

+        let file_size = metadata.len();

+        let display_name = self.input.file_name()

+            .and_then(|n| n.to_str())

+            .unwrap_or("unknown");

+

+        // Determine output path

+        let output_path = self.output.clone().unwrap_or_else(|| {

+            let mut output = self.input.clone();

+            let current_ext = output.extension()

+                .and_then(|s| s.to_str())

+                .unwrap_or("");

+            if current_ext.is_empty() {

+                output.set_extension("zfs");

+            } else {

+                output.set_extension(format!("{}.zfs", current_ext));

+            }

+            output

+        });

+

+        // Check if output exists

+        if output_path.exists() {

+            anyhow::bail!("Output file already exists: {:?}. Remove it first or specify a different output.", output_path);

+        }

+

+        println!("Encrypting: {}", display_name);

+        println!("  Size: {}", format_size(file_size, BINARY));

+        println!("  Output: {:?}", output_path);

+

+        // Get password

+        let password = if let Some(ref pw) = self.password {

+            pw.clone()

+        } else {

+            let theme = ColorfulTheme::default();

+            Password::with_theme(&theme)

+                .with_prompt("Enter password for encryption")

+                .interact()

+                .context("Failed to read password")?

+        };

+

+        // Validate password strength

+        if password.len() < 8 {

+            anyhow::bail!("Password must be at least 8 characters long");

+        }

+

+        // Create progress bar

+        let progress = if self.progress {

+            let pb = ProgressBar::new(file_size);

+            pb.set_style(

+                ProgressStyle::default_bar()

+                    .template("[{elapsed_precise}] {bar:40.cyan/blue} {percent}% {bytes}/{total_bytes} ETA: {eta}")

+                    .unwrap()

+                    .progress_chars("##-")

+            );

+            Some(pb)

+        } else {

+            None

+        };

+

+        // Read file data

+        let file_data = tokio::fs::read(&self.input).await

+            .with_context(|| format!("Failed to read file: {:?}", self.input))?;

+

+        // Initialize crypto system

+        let crypto = create_crypto_system(&password, self.chunk_size)?;

+

+        // Encrypt file

+        let encrypted_data = crypto.encrypt_file(&file_data)

+            .context("Failed to encrypt file")?;

+

+        // Convert to CLI format

+        let encrypted_segments: Vec<EncryptedSegment> = encrypted_data

+            .into_iter()

+            .map(|data| data.into())

+            .collect();

+

+        // Generate content verification

+        let content_id = crypto.content_id(&file_data);

+        

+        // Create encrypted file format

+        let encrypted_file = EncryptedFileFormat {

+            version: 1,

+            filename: display_name.to_string(),

+            original_size: file_size,

+            chunk_size_mb: self.chunk_size,

+            content_id: content_id.to_hex(),

+            hash_algorithm: self.hash.clone(),

+            encrypted_segments,

+            created_at: chrono::Utc::now(),

+        };

+

+        // Serialize and write encrypted file

+        let serialized = serde_json::to_vec_pretty(&encrypted_file)

+            .context("Failed to serialize encrypted file")?;

+

+        tokio::fs::write(&output_path, &serialized).await

+            .with_context(|| format!("Failed to write encrypted file: {:?}", output_path))?;

+

+        if let Some(pb) = progress {

+            pb.finish_with_message("Encryption complete");

+        }

+

+        println!("✅ File encrypted successfully!");

+        println!("  Encrypted file: {:?}", output_path);

+        println!("  Content ID: {}", encrypted_file.content_id);

+        println!("  Segments: {}", encrypted_file.encrypted_segments.len());

+        

+        // Security reminder

+        println!();

+        println!("🔒 Security Notes:");

+        println!("  • Keep your password safe - it cannot be recovered");

+        println!("  • The encrypted file contains no plaintext metadata");

+        println!("  • Use 'zephyrfs decrypt' to restore the original file");

+

+        Ok(())

+    }

+}

+

+// Encrypted file format for storage

+#[derive(Debug, serde::Serialize, serde::Deserialize)]

+struct EncryptedFileFormat {

+    version: u32,

+    filename: String,

+    original_size: u64,

+    chunk_size_mb: u32,

+    content_id: String,

+    hash_algorithm: String,

+    encrypted_segments: Vec<EncryptedSegment>,

+    created_at: chrono::DateTime<chrono::Utc>,

+}

+

+#[derive(Debug, serde::Serialize, serde::Deserialize)]

+struct EncryptedSegment {

+    segment_index: u64,

+    ciphertext: Vec<u8>,

+    nonce: [u8; 12],

+    aad: Vec<u8>,

+    key_path: Vec<u32>,

+}

+

+// Helper function to create crypto system

+fn create_crypto_system(password: &str, chunk_size_mb: u32) -> Result<ZephyrCrypto> {

+    use zephyrfs_node::crypto::{ZephyrCrypto, CryptoParams, ScryptParams, AesParams, HashParams, ContentHasher, VerificationHasher};

+    

+    // Create crypto parameters

+    let params = CryptoParams {

+        scrypt_params: ScryptParams {

+            log_n: 17,          // Strong security

+            r: 8,

+            p: 1,

+            output_len: 64,

+        },

+        aes_params: AesParams {

+            key_len: 32,

+            nonce_len: 12,

+            tag_len: 16,

+        },

+        hash_params: HashParams {

+            content_hasher: ContentHasher::Blake3,

+            verification_hasher: VerificationHasher::Blake3,

+        },

+    };

+

+    let mut crypto = ZephyrCrypto::with_params(params);

+    crypto.init_from_password(password)

+        .context("Failed to initialize crypto system with password")?;

+

+    Ok(crypto)

+}

+

+// Convert between zephyrfs_node types and CLI types

+impl From<zephyrfs_node::crypto::EncryptedData> for EncryptedSegment {

+    fn from(data: zephyrfs_node::crypto::EncryptedData) -> Self {

+        Self {

+            segment_index: data.segment_index,

+            ciphertext: data.ciphertext,

+            nonce: data.nonce,

+            aad: data.aad,

+            key_path: data.key_path,

+        }

+    }

+}

+

+impl From<EncryptedSegment> for zephyrfs_node::crypto::EncryptedData {

+    fn from(segment: EncryptedSegment) -> Self {

+        Self {

+            segment_index: segment.segment_index,

+            ciphertext: segment.ciphertext,

+            nonce: segment.nonce,

+            aad: segment.aad,

+            key_path: segment.key_path,

+        }

+    }

+}

+

+// Import necessary items from zephyrfs_node

+use zephyrfs_node::crypto::ZephyrCrypto;

+mod encrypt;

+mod decrypt;

+pub use encrypt::EncryptCommand;

+pub use decrypt::DecryptCommand;

+use commands::{InitCommand, JoinCommand, UploadCommand, DownloadCommand, ListCommand, StatusCommand, EncryptCommand, DecryptCommand, Command};

+    

+    /// Encrypt a file with password

+    Encrypt(EncryptCommand),

+    

+    /// Decrypt a file with password

+    Decrypt(DecryptCommand),

+        Commands::Encrypt(cmd) => cmd.execute(&config).await,

+        Commands::Decrypt(cmd) => cmd.execute(&config).await,

+{

+  "version": 1,

+  "filename": "test_file.txt",

+  "original_size": 33,

+  "chunk_size_mb": 1,

+  "content_id": "d9694db901d94a19748dfadd6efaa8f4fed739e76f26042b91aa9c52feb30fd5",

+  "hash_algorithm": "both",

+  "encrypted_segments": [

+    {

+      "segment_index": 0,

+      "ciphertext": [

+        19,

+        73,

+        96,

+        52,

+        98,

+        167,

+        247,

+        176,

+        136,

+        177,

+        61,

+        115,

+        24,

+        2,

+        233,

+        101,

+        206,

+        42,

+        157,

+        80,

+        212,

+        131,

+        117,

+        70,

+        239,

+        35,

+        51,

+        7,

+        151,

+        30,

+        56,

+        201,

+        124,

+        101,

+        107,

+        136,

+        125,

+        156,

+        87,

+        180,

+        221,

+        205,

+        199,

+        1,

+        196,

+        85,

+        90,

+        208,

+        198

+      ],

+      "nonce": [

+        34,

+        209,

+        18,

+        71,

+        29,

+        37,

+        218,

+        155,

+        210,

+        138,

+        118,

+        134

+      ],

+      "aad": [

+        0,

+        0,

+        0,

+        0,

+        0,

+        0,

+        0,

+        0,

+        0,

+        0,

+        0,

+        0,

+        90,

+        101,

+        112,

+        104,

+        121,

+        114,

+        70,

+        83,

+        45,

+        118,

+        49

+      ],

+      "key_path": [

+        0

+      ]

+    }

+  ],

+  "created_at": "2025-09-13T01:21:09.987982518Z"

+}