`de09132`

2.4: Zero-knowledge encrypted storage with capability-based access control and deduplication

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 8 months ago

SHA: de09132af2ccd5b29618b0fec50324c27b184f3c
Parents: 585cb7b
Tree: 7d226cb

3 changed files

Status	File	+	-
M	`src/storage.rs`	10	1
A	`src/storage/encrypted_chunk_store.rs`	539	0
A	`src/storage/enhanced_storage_manager.rs`	498	0

src/storage.rsmodified

  pub mod metadata_store;
  pub mod file_chunker;
  pub mod storage_manager;
++pub mod encrypted_chunk_store;
++pub mod enhanced_storage_manager;
  // Re-export main storage interfaces
  pub use chunk_store::{ChunkStore, ChunkMetadata, StorageStats};
  pub use metadata_store::{MetadataStore, FileMetadata};
  pub use file_chunker::{FileChunker, ChunkInfo};
  pub use storage_manager::{StorageManager, StorageConfig, CapacityInfo};
++pub use encrypted_chunk_store::{
++    EncryptedChunkStore, EncryptedChunkMetadata, EncryptedFileMetadata,
++    EncryptionMetadata, FileCapability, EncryptedStorageStats
++};
++pub use enhanced_storage_manager::{
++    EnhancedStorageManager, CombinedCapacityInfo, FileStorageResult
++};

src/storage/encrypted_chunk_store.rsadded

++//! Encrypted chunk storage for ZephyrFS
++//!
++//! Provides storage layer functionality for encrypted chunks while maintaining
++//! zero-knowledge security. Storage nodes never see plaintext data.
++
++use anyhow::{Context, Result};
++use rocksdb::{DB, Options, WriteBatch};
++use serde::{Deserialize, Serialize};
++use sha2::{Digest, Sha256};
++use std::collections::HashMap;
++use std::path::Path;
++use std::sync::Arc;
++use tokio::sync::RwLock;
++use tracing::{debug, info, warn};
++
++use crate::crypto::{EncryptedData, ContentId};
++
++/// Metadata for encrypted chunks stored in the system
++///
++/// Zero-knowledge: Only stores encrypted data and hashes, no plaintext metadata
++#[derive(Debug, Clone, Serialize, Deserialize)]
++pub struct EncryptedChunkMetadata {
++    /// Content hash of the encrypted chunk (for deduplication)
++    pub encrypted_hash: String,
++
++    /// Size of the encrypted chunk in bytes
++    pub encrypted_size: u64,
++
++    /// Timestamp when chunk was stored
++    pub stored_at: u64,
++
++    /// Reference count (how many encrypted files reference this chunk)
++    pub ref_count: u32,
++
++    /// Verification checksum for integrity (of encrypted data)
++    pub checksum: String,
++
++    /// Content addressing hash (encrypted, for lookup)
++    pub content_id: Option<String>,
++
++    /// Encryption nonce (safe to store)
++    pub nonce: [u8; 12],
++
++    /// Additional authenticated data (encrypted metadata)
++    pub aad: Vec<u8>,
++
++    /// Key derivation path (safe to store, no keys)
++    pub key_path: Vec<u32>,
++}
++
++/// Enhanced file metadata that includes encryption information
++///
++/// Zero-knowledge: Stores encrypted metadata and access patterns
++#[derive(Debug, Clone, Serialize, Deserialize)]
++pub struct EncryptedFileMetadata {
++    /// Original filename (encrypted)
++    pub encrypted_name: Vec<u8>,
++
++    /// Encrypted file size info
++    pub encrypted_size_info: Vec<u8>,
++
++    /// File hash of encrypted data
++    pub encrypted_file_hash: String,
++
++    /// List of encrypted chunk IDs
++    pub encrypted_chunk_ids: Vec<String>,
++
++    /// Timestamp (can be plaintext for sorting)
++    pub created_at: u64,
++    pub modified_at: u64,
++
++    /// Encryption metadata
++    pub encryption_metadata: EncryptionMetadata,
++
++    /// Access control capabilities (encrypted)
++    pub capabilities: Vec<u8>,
++}
++
++/// Encryption-specific metadata stored with files
++///
++/// Zero-knowledge: No sensitive key material stored
++#[derive(Debug, Clone, Serialize, Deserialize)]
++pub struct EncryptionMetadata {
++    /// Encryption algorithm version
++    pub version: u32,
++
++    /// Number of encrypted segments
++    pub segment_count: u32,
++
++    /// Chunk size used for encryption (MB)
++    pub chunk_size_mb: u32,
++
++    /// Content addressing algorithm
++    pub content_hash_algorithm: String,
++
++    /// Verification hash algorithm
++    pub verification_hash_algorithm: String,
++
++    /// Master nonce for file-level operations
++    pub master_nonce: [u8; 12],
++
++    /// Encrypted content verification data
++    pub encrypted_content_verification: Vec<u8>,
++}
++
++/// Capability token for secure file access
++///
++/// Zero-knowledge: Contains encrypted access permissions and keys
++#[derive(Debug, Clone, Serialize, Deserialize)]
++pub struct FileCapability {
++    /// Unique capability ID
++    pub capability_id: String,
++
++    /// File ID this capability grants access to
++    pub file_id: String,
++
++    /// Encrypted access permissions (read, write, share, etc.)
++    pub encrypted_permissions: Vec<u8>,
++
++    /// Encrypted key material for this capability
++    pub encrypted_key_material: Vec<u8>,
++
++    /// Capability expiration timestamp (optional)
++    pub expires_at: Option<u64>,
++
++    /// Created timestamp
++    pub created_at: u64,
++
++    /// Capability signature (for verification)
++    pub signature: Vec<u8>,
++}
++
++/// Enhanced chunk store that handles encrypted chunks
++///
++/// Zero-knowledge: Never processes or sees plaintext data
++pub struct EncryptedChunkStore {
++    /// Underlying chunk storage
++    db: Arc<DB>,
++
++    /// Metadata cache for encrypted chunks
++    metadata_cache: Arc<RwLock<HashMap<String, EncryptedChunkMetadata>>>,
++
++    /// File metadata storage
++    file_metadata_cache: Arc<RwLock<HashMap<String, EncryptedFileMetadata>>>,
++
++    /// Capability storage
++    capability_cache: Arc<RwLock<HashMap<String, FileCapability>>>,
++
++    /// Storage statistics
++    stats: Arc<RwLock<EncryptedStorageStats>>,
++}
++
++#[derive(Debug, Default, Clone)]
++pub struct EncryptedStorageStats {
++    pub total_encrypted_chunks: u64,
++    pub total_encrypted_size: u64,
++    pub total_encrypted_files: u64,
++    pub active_capabilities: u64,
++    pub cache_hits: u64,
++    pub cache_misses: u64,
++    pub deduplication_savings: u64,
++}
++
++impl EncryptedChunkStore {
++    /// Create a new encrypted chunk store
++    ///
++    /// Zero-knowledge: Configures storage to handle only encrypted data
++    pub fn new<P: AsRef<Path>>(db_path: P) -> Result<Self> {
++        info!("Initializing EncryptedChunkStore for zero-knowledge storage");
++
++        let mut opts = Options::default();
++        opts.create_if_missing(true);
++        opts.set_paranoid_checks(true);
++        opts.set_use_fsync(true);
++
++        let db = DB::open(&opts, db_path)
++            .context("Failed to open encrypted chunk database")?;
++
++        let store = Self {
++            db: Arc::new(db),
++            metadata_cache: Arc::new(RwLock::new(HashMap::new())),
++            file_metadata_cache: Arc::new(RwLock::new(HashMap::new())),
++            capability_cache: Arc::new(RwLock::new(HashMap::new())),
++            stats: Arc::new(RwLock::new(EncryptedStorageStats::default())),
++        };
++
++        store.load_stats_from_db()?;
++        info!("EncryptedChunkStore initialized with zero-knowledge architecture");
++        Ok(store)
++    }
++
++    /// Store an encrypted chunk with deduplication
++    ///
++    /// Zero-knowledge: Only handles encrypted data, maintains content-based deduplication
++    pub async fn store_encrypted_chunk(&self, chunk_id: &str, encrypted_data: &EncryptedData) -> Result<String> {
++        debug!("Storing encrypted chunk: {} ({} bytes)", chunk_id, encrypted_data.ciphertext.len());
++
++        // Calculate hash of encrypted content for deduplication
++        let mut hasher = Sha256::new();
++        hasher.update(&encrypted_data.ciphertext);
++        hasher.update(&encrypted_data.nonce);
++        hasher.update(&encrypted_data.aad);
++        let encrypted_hash = hex::encode(hasher.finalize());
++
++        // Check if this encrypted chunk already exists (deduplication)
++        if let Some(existing_metadata) = self.get_encrypted_chunk_metadata(&encrypted_hash).await? {
++            // Increment reference count
++            let mut metadata = existing_metadata;
++            metadata.ref_count += 1;
++            self.update_encrypted_chunk_metadata(&encrypted_hash, &metadata).await?;
++
++            debug!("Deduplicated encrypted chunk: {} (ref_count: {})", encrypted_hash, metadata.ref_count);
++            return Ok(encrypted_hash);
++        }
++
++        // Create checksum for integrity verification
++        let checksum = self.calculate_encrypted_checksum(&encrypted_data.ciphertext, &encrypted_hash);
++
++        let metadata = EncryptedChunkMetadata {
++            encrypted_hash: encrypted_hash.clone(),
++            encrypted_size: encrypted_data.ciphertext.len() as u64,
++            stored_at: std::time::SystemTime::now()
++                .duration_since(std::time::UNIX_EPOCH)?
++                .as_secs(),
++            ref_count: 1,
++            checksum,
++            content_id: None, // Set by caller if needed
++            nonce: encrypted_data.nonce,
++            aad: encrypted_data.aad.clone(),
++            key_path: encrypted_data.key_path.clone(),
++        };
++
++        // Store encrypted chunk data and metadata atomically
++        let mut batch = WriteBatch::default();
++
++        // Store the encrypted ciphertext
++        let chunk_key = format!("chunk:{}", encrypted_hash);
++        batch.put(&chunk_key, &encrypted_data.ciphertext);
++
++        // Store metadata
++        let metadata_key = format!("meta:{}", encrypted_hash);
++        let metadata_bytes = bincode::serialize(&metadata)
++            .context("Failed to serialize encrypted chunk metadata")?;
++        batch.put(&metadata_key, &metadata_bytes);
++
++        self.db.write(batch)
++            .context("Failed to store encrypted chunk atomically")?;
++
++        // Update cache and stats
++        {
++            let mut cache = self.metadata_cache.write().await;
++            cache.insert(encrypted_hash.clone(), metadata);
++        }
++
++        {
++            let mut stats = self.stats.write().await;
++            stats.total_encrypted_chunks += 1;
++            stats.total_encrypted_size += encrypted_data.ciphertext.len() as u64;
++        }
++
++        info!("Stored new encrypted chunk: {}", encrypted_hash);
++        Ok(encrypted_hash)
++    }
++
++    /// Retrieve an encrypted chunk by hash
++    ///
++    /// Zero-knowledge: Returns encrypted data without any decryption
++    pub async fn retrieve_encrypted_chunk(&self, encrypted_hash: &str) -> Result<Option<EncryptedData>> {
++        debug!("Retrieving encrypted chunk: {}", encrypted_hash);
++
++        // Get metadata first
++        let metadata = match self.get_encrypted_chunk_metadata(encrypted_hash).await? {
++            Some(meta) => meta,
++            None => {
++                debug!("Encrypted chunk not found: {}", encrypted_hash);
++                return Ok(None);
++            }
++        };
++
++        // Retrieve encrypted ciphertext
++        let chunk_key = format!("chunk:{}", encrypted_hash);
++        let ciphertext = match self.db.get(&chunk_key)
++            .context("Failed to read encrypted chunk from database")? {
++            Some(data) => data,
++            None => {
++                warn!("Encrypted chunk data missing for hash: {}", encrypted_hash);
++                return Ok(None);
++            }
++        };
++
++        // Verify integrity
++        let computed_checksum = self.calculate_encrypted_checksum(&ciphertext, encrypted_hash);
++        if computed_checksum != metadata.checksum {
++            return Err(anyhow::anyhow!(
++                "Encrypted chunk integrity verification failed for {}", encrypted_hash
++            ));
++        }
++
++        // Reconstruct EncryptedData
++        let encrypted_data = EncryptedData {
++            segment_index: 0, // Will be set by caller
++            ciphertext,
++            nonce: metadata.nonce,
++            aad: metadata.aad,
++            key_path: metadata.key_path,
++        };
++
++        {
++            let mut stats = self.stats.write().await;
++            stats.cache_hits += 1;
++        }
++
++        Ok(Some(encrypted_data))
++    }
++
++    /// Store encrypted file metadata
++    ///
++    /// Zero-knowledge: All sensitive metadata is encrypted
++    pub async fn store_encrypted_file_metadata(&self, file_id: &str, metadata: &EncryptedFileMetadata) -> Result<()> {
++        debug!("Storing encrypted file metadata: {}", file_id);
++
++        let metadata_key = format!("file:{}", file_id);
++        let metadata_bytes = bincode::serialize(metadata)
++            .context("Failed to serialize encrypted file metadata")?;
++
++        self.db.put(&metadata_key, &metadata_bytes)
++            .context("Failed to store encrypted file metadata")?;
++
++        // Update cache
++        {
++            let mut cache = self.file_metadata_cache.write().await;
++            cache.insert(file_id.to_string(), metadata.clone());
++        }
++
++        {
++            let mut stats = self.stats.write().await;
++            stats.total_encrypted_files += 1;
++        }
++
++        Ok(())
++    }
++
++    /// Retrieve encrypted file metadata
++    ///
++    /// Zero-knowledge: Returns encrypted metadata without decryption
++    pub async fn get_encrypted_file_metadata(&self, file_id: &str) -> Result<Option<EncryptedFileMetadata>> {
++        // Check cache first
++        {
++            let cache = self.file_metadata_cache.read().await;
++            if let Some(metadata) = cache.get(file_id) {
++                return Ok(Some(metadata.clone()));
++            }
++        }
++
++        let metadata_key = format!("file:{}", file_id);
++        let metadata_bytes = match self.db.get(&metadata_key)
++            .context("Failed to read encrypted file metadata")? {
++            Some(data) => data,
++            None => return Ok(None),
++        };
++
++        let metadata: EncryptedFileMetadata = bincode::deserialize(&metadata_bytes)
++            .context("Failed to deserialize encrypted file metadata")?;
++
++        // Update cache
++        {
++            let mut cache = self.file_metadata_cache.write().await;
++            cache.insert(file_id.to_string(), metadata.clone());
++        }
++
++        Ok(Some(metadata))
++    }
++
++    /// Store a file capability for secure access control
++    ///
++    /// Zero-knowledge: Capability contains encrypted permissions and keys
++    pub async fn store_capability(&self, capability: &FileCapability) -> Result<()> {
++        debug!("Storing file capability: {}", capability.capability_id);
++
++        let cap_key = format!("cap:{}", capability.capability_id);
++        let cap_bytes = bincode::serialize(capability)
++            .context("Failed to serialize capability")?;
++
++        self.db.put(&cap_key, &cap_bytes)
++            .context("Failed to store capability")?;
++
++        // Update cache and stats
++        {
++            let mut cache = self.capability_cache.write().await;
++            cache.insert(capability.capability_id.clone(), capability.clone());
++        }
++
++        {
++            let mut stats = self.stats.write().await;
++            stats.active_capabilities += 1;
++        }
++
++        Ok(())
++    }
++
++    /// Retrieve a file capability
++    pub async fn get_capability(&self, capability_id: &str) -> Result<Option<FileCapability>> {
++        // Check cache first
++        {
++            let cache = self.capability_cache.read().await;
++            if let Some(capability) = cache.get(capability_id) {
++                return Ok(Some(capability.clone()));
++            }
++        }
++
++        let cap_key = format!("cap:{}", capability_id);
++        let cap_bytes = match self.db.get(&cap_key)
++            .context("Failed to read capability")? {
++            Some(data) => data,
++            None => return Ok(None),
++        };
++
++        let capability: FileCapability = bincode::deserialize(&cap_bytes)
++            .context("Failed to deserialize capability")?;
++
++        // Check expiration
++        if let Some(expires_at) = capability.expires_at {
++            let now = std::time::SystemTime::now()
++                .duration_since(std::time::UNIX_EPOCH)?
++                .as_secs();
++            if now > expires_at {
++                debug!("Capability expired: {}", capability_id);
++                return Ok(None);
++            }
++        }
++
++        // Update cache
++        {
++            let mut cache = self.capability_cache.write().await;
++            cache.insert(capability_id.to_string(), capability.clone());
++        }
++
++        Ok(Some(capability))
++    }
++
++    /// Get storage statistics
++    pub async fn get_encrypted_stats(&self) -> EncryptedStorageStats {
++        let stats = self.stats.read().await;
++        (*stats).clone()
++    }
++
++    /// Helper methods
++    async fn get_encrypted_chunk_metadata(&self, encrypted_hash: &str) -> Result<Option<EncryptedChunkMetadata>> {
++        // Check cache first
++        {
++            let cache = self.metadata_cache.read().await;
++            if let Some(metadata) = cache.get(encrypted_hash) {
++                return Ok(Some(metadata.clone()));
++            }
++        }
++
++        let metadata_key = format!("meta:{}", encrypted_hash);
++        let metadata_bytes = match self.db.get(&metadata_key)? {
++            Some(data) => data,
++            None => return Ok(None),
++        };
++
++        let metadata: EncryptedChunkMetadata = bincode::deserialize(&metadata_bytes)
++            .context("Failed to deserialize encrypted chunk metadata")?;
++
++        Ok(Some(metadata))
++    }
++
++    async fn update_encrypted_chunk_metadata(&self, encrypted_hash: &str, metadata: &EncryptedChunkMetadata) -> Result<()> {
++        let metadata_key = format!("meta:{}", encrypted_hash);
++        let metadata_bytes = bincode::serialize(metadata)?;
++
++        self.db.put(&metadata_key, &metadata_bytes)?;
++
++        // Update cache
++        {
++            let mut cache = self.metadata_cache.write().await;
++            cache.insert(encrypted_hash.to_string(), metadata.clone());
++        }
++
++        Ok(())
++    }
++
++    fn calculate_encrypted_checksum(&self, ciphertext: &[u8], hash: &str) -> String {
++        let mut hasher = Sha256::new();
++        hasher.update(ciphertext);
++        hasher.update(hash.as_bytes());
++        hasher.update(b"zephyrfs-encrypted-chunk-v1");
++        hex::encode(hasher.finalize())
++    }
++
++    fn load_stats_from_db(&self) -> Result<()> {
++        // Implementation would scan database to calculate stats
++        // For now, we'll initialize with defaults
++        Ok(())
++    }
++}
++
++#[cfg(test)]
++mod tests {
++    use super::*;
++    use tempfile::tempdir;
++
++    #[tokio::test]
++    async fn test_encrypted_chunk_store_creation() {
++        let temp_dir = tempdir().unwrap();
++        let store = EncryptedChunkStore::new(temp_dir.path()).await.unwrap();
++        let stats = store.get_encrypted_stats().await;
++
++        assert_eq!(stats.total_encrypted_chunks, 0);
++        assert_eq!(stats.total_encrypted_files, 0);
++        assert_eq!(stats.active_capabilities, 0);
++    }
++
++    #[tokio::test]
++    async fn test_encrypted_chunk_deduplication() {
++        let temp_dir = tempdir().unwrap();
++        let store = EncryptedChunkStore::new(temp_dir.path()).await.unwrap();
++
++        let encrypted_data = EncryptedData {
++            segment_index: 0,
++            ciphertext: vec![1, 2, 3, 4, 5],
++            nonce: [0u8; 12],
++            aad: vec![],
++            key_path: vec![0, 1],
++        };
++
++        // Store same encrypted chunk twice
++        let hash1 = store.store_encrypted_chunk("chunk1", &encrypted_data).await.unwrap();
++        let hash2 = store.store_encrypted_chunk("chunk2", &encrypted_data).await.unwrap();
++
++        // Should be deduplicated (same hash)
++        assert_eq!(hash1, hash2);
++
++        // Should have reference count of 2
++        let metadata = store.get_encrypted_chunk_metadata(&hash1).await.unwrap().unwrap();
++        assert_eq!(metadata.ref_count, 2);
++    }
++}

src/storage/enhanced_storage_manager.rsadded

++//! Enhanced storage manager with encryption support
++//!
++//! Integrates encrypted chunk storage with existing storage operations
++//! while maintaining backward compatibility and zero-knowledge security.
++
++use anyhow::{Context, Result};
++use sha2::{Digest, Sha256};
++use std::path::{Path, PathBuf};
++use std::sync::Arc;
++use tokio::sync::RwLock;
++use tracing::{debug, info, warn, error};
++
++use crate::crypto::{ZephyrCrypto, EncryptedData, ContentId};
++use crate::storage::{
++    StorageManager, StorageConfig, CapacityInfo,
++    EncryptedChunkStore, EncryptedChunkMetadata, EncryptedFileMetadata,
++    EncryptionMetadata, FileCapability, EncryptedStorageStats,
++};
++
++/// Enhanced storage manager supporting both encrypted and plaintext operations
++///
++/// Zero-knowledge: Encrypted files never expose plaintext to storage nodes
++/// Backward compatibility: Supports existing plaintext storage operations
++pub struct EnhancedStorageManager {
++    /// Traditional plaintext storage manager
++    plaintext_storage: Arc<StorageManager>,
++
++    /// Encrypted chunk storage
++    encrypted_storage: Arc<EncryptedChunkStore>,
++
++    /// Storage configuration
++    config: StorageConfig,
++
++    /// Base storage path
++    base_path: PathBuf,
++
++    /// Combined capacity tracking
++    combined_capacity: Arc<RwLock<CombinedCapacityInfo>>,
++}
++
++/// Combined capacity information for both encrypted and plaintext storage
++#[derive(Debug, Clone)]
++pub struct CombinedCapacityInfo {
++    /// Traditional storage info
++    pub plaintext_capacity: CapacityInfo,
++
++    /// Encrypted storage info
++    pub encrypted_stats: EncryptedStorageStats,
++
++    /// Combined totals
++    pub total_used_space: u64,
++    pub total_files: u64,
++    pub total_chunks: u64,
++    pub combined_efficiency: f64,
++}
++
++/// File storage result containing information about how the file was stored
++#[derive(Debug)]
++pub struct FileStorageResult {
++    pub file_hash: String,
++    pub is_encrypted: bool,
++    pub chunk_count: usize,
++    pub content_id: Option<String>,
++    pub capability_id: Option<String>,
++}
++
++impl EnhancedStorageManager {
++    /// Create a new enhanced storage manager
++    ///
++    /// Zero-knowledge: Initializes both plaintext and encrypted storage backends
++    pub async fn new<P: AsRef<Path>>(base_path: P, config: StorageConfig) -> Result<Self> {
++        let base_path = base_path.as_ref().to_path_buf();
++        info!("Initializing EnhancedStorageManager with encryption support at: {:?}", base_path);
++
++        // Create subdirectories
++        let plaintext_path = base_path.join("plaintext");
++        let encrypted_path = base_path.join("encrypted");
++
++        std::fs::create_dir_all(&plaintext_path)
++            .context("Failed to create plaintext storage directory")?;
++        std::fs::create_dir_all(&encrypted_path)
++            .context("Failed to create encrypted storage directory")?;
++
++        // Initialize storage backends
++        let plaintext_storage = Arc::new(StorageManager::new(&plaintext_path, config.clone()).await
++            .context("Failed to initialize plaintext storage manager")?);
++
++        let encrypted_storage = Arc::new(EncryptedChunkStore::new(&encrypted_path)
++            .context("Failed to initialize encrypted chunk store")?);
++
++        // Initialize combined capacity tracking
++        let combined_capacity = Arc::new(RwLock::new(CombinedCapacityInfo {
++            plaintext_capacity: plaintext_storage.get_capacity_info().await,
++            encrypted_stats: encrypted_storage.get_encrypted_stats().await,
++            total_used_space: 0,
++            total_files: 0,
++            total_chunks: 0,
++            combined_efficiency: 1.0,
++        }));
++
++        let manager = Self {
++            plaintext_storage,
++            encrypted_storage,
++            config,
++            base_path,
++            combined_capacity,
++        };
++
++        // Update combined capacity information
++        manager.refresh_combined_capacity().await?;
++
++        info!("EnhancedStorageManager initialized with zero-knowledge encryption support");
++        Ok(manager)
++    }
++
++    /// Store a file with automatic encryption (if crypto context provided)
++    ///
++    /// Zero-knowledge: When crypto is provided, file is encrypted before storage
++    pub async fn store_file_with_crypto(
++        &self,
++        file_id: &str,
++        data: &[u8],
++        filename: &str,
++        crypto: Option<&ZephyrCrypto>
++    ) -> Result<FileStorageResult> {
++        info!("Storing file: {} ({} bytes) with encryption: {}",
++              filename, data.len(), crypto.is_some());
++
++        match crypto {
++            Some(crypto_ctx) => {
++                self.store_encrypted_file(file_id, data, filename, crypto_ctx).await
++            }
++            None => {
++                self.store_plaintext_file(file_id, data, filename).await
++            }
++        }
++    }
++
++    /// Store an encrypted file using zero-knowledge encryption
++    ///
++    /// Zero-knowledge: File is encrypted before storage, storage nodes never see plaintext
++    async fn store_encrypted_file(
++        &self,
++        file_id: &str,
++        data: &[u8],
++        filename: &str,
++        crypto: &ZephyrCrypto,
++    ) -> Result<FileStorageResult> {
++        debug!("Storing encrypted file: {}", file_id);
++
++        // Encrypt file data into segments
++        let encrypted_segments = crypto.encrypt_file(data)
++            .context("Failed to encrypt file data")?;
++
++        // Generate content ID for encrypted file
++        let content_id = crypto.content_id(data);
++
++        // Store encrypted chunks
++        let mut chunk_hashes = Vec::new();
++        for (index, encrypted_data) in encrypted_segments.iter().enumerate() {
++            let chunk_id = format!("{}:{}", file_id, index);
++            let chunk_hash = self.encrypted_storage.store_encrypted_chunk(&chunk_id, encrypted_data).await
++                .context("Failed to store encrypted chunk")?;
++            chunk_hashes.push(chunk_hash);
++        }
++
++        // Create encrypted file metadata
++        let encrypted_metadata = EncryptedFileMetadata {
++            encrypted_name: self.encrypt_filename(filename, crypto)?,
++            encrypted_size_info: self.encrypt_size_info(data.len(), crypto)?,
++            encrypted_file_hash: content_id.to_hex(),
++            encrypted_chunk_ids: chunk_hashes,
++            created_at: std::time::SystemTime::now()
++                .duration_since(std::time::UNIX_EPOCH)?
++                .as_secs(),
++            modified_at: std::time::SystemTime::now()
++                .duration_since(std::time::UNIX_EPOCH)?
++                .as_secs(),
++            encryption_metadata: EncryptionMetadata {
++                version: 1,
++                segment_count: encrypted_segments.len() as u32,
++                chunk_size_mb: 1, // TODO: Get from config
++                content_hash_algorithm: "blake3".to_string(),
++                verification_hash_algorithm: "blake3".to_string(),
++                master_nonce: [0u8; 12], // TODO: Generate proper nonce
++                encrypted_content_verification: self.encrypt_content_verification(&content_id, crypto)?,
++            },
++            capabilities: vec![], // TODO: Generate initial capability
++        };
++
++        // Store encrypted file metadata
++        self.encrypted_storage.store_encrypted_file_metadata(file_id, &encrypted_metadata).await
++            .context("Failed to store encrypted file metadata")?;
++
++        // Create file capability for access control
++        let capability = self.create_file_capability(file_id, crypto).await?;
++        let capability_id = capability.capability_id.clone();
++
++        self.encrypted_storage.store_capability(&capability).await
++            .context("Failed to store file capability")?;
++
++        // Update capacity tracking
++        self.refresh_combined_capacity().await?;
++
++        info!("Successfully stored encrypted file: {} with capability: {}", file_id, capability_id);
++        Ok(FileStorageResult {
++            file_hash: content_id.to_hex(),
++            is_encrypted: true,
++            chunk_count: encrypted_segments.len(),
++            content_id: Some(content_id.to_hex()),
++            capability_id: Some(capability_id),
++        })
++    }
++
++    /// Store a plaintext file using existing storage manager
++    async fn store_plaintext_file(
++        &self,
++        file_id: &str,
++        data: &[u8],
++        filename: &str,
++    ) -> Result<FileStorageResult> {
++        debug!("Storing plaintext file: {}", file_id);
++
++        let file_hash = self.plaintext_storage.store_file(file_id, data, filename).await
++            .context("Failed to store plaintext file")?;
++
++        // Update capacity tracking
++        self.refresh_combined_capacity().await?;
++
++        info!("Successfully stored plaintext file: {}", file_id);
++        Ok(FileStorageResult {
++            file_hash,
++            is_encrypted: false,
++            chunk_count: 1, // Plaintext files are stored as single chunks
++            content_id: None,
++            capability_id: None,
++        })
++    }
++
++    /// Retrieve a file with automatic detection of encryption
++    ///
++    /// Zero-knowledge: Encrypted files are decrypted using provided crypto context
++    pub async fn retrieve_file_with_crypto(
++        &self,
++        file_id: &str,
++        crypto: Option<&ZephyrCrypto>,
++    ) -> Result<Option<(Vec<u8>, bool)>> {
++        debug!("Retrieving file: {} with crypto: {}", file_id, crypto.is_some());
++
++        // First try encrypted storage
++        if let Some(encrypted_metadata) = self.encrypted_storage.get_encrypted_file_metadata(file_id).await? {
++            if let Some(crypto_ctx) = crypto {
++                let data = self.retrieve_encrypted_file(file_id, &encrypted_metadata, crypto_ctx).await?;
++                return Ok(Some((data, true)));
++            } else {
++                return Err(anyhow::anyhow!(
++                    "File {} is encrypted but no crypto context provided for decryption", file_id
++                ));
++            }
++        }
++
++        // Try plaintext storage
++        if let Some(data) = self.plaintext_storage.retrieve_file(file_id).await? {
++            return Ok(Some((data, false)));
++        }
++
++        Ok(None)
++    }
++
++    /// Retrieve an encrypted file using zero-knowledge decryption
++    ///
++    /// Zero-knowledge: File is decrypted client-side, storage nodes never see plaintext
++    async fn retrieve_encrypted_file(
++        &self,
++        file_id: &str,
++        metadata: &EncryptedFileMetadata,
++        crypto: &ZephyrCrypto,
++    ) -> Result<Vec<u8>> {
++        debug!("Retrieving encrypted file: {}", file_id);
++
++        // Retrieve all encrypted chunks
++        let mut encrypted_segments = Vec::new();
++        for (index, chunk_hash) in metadata.encrypted_chunk_ids.iter().enumerate() {
++            let mut encrypted_data = self.encrypted_storage.retrieve_encrypted_chunk(chunk_hash).await?
++                .ok_or_else(|| anyhow::anyhow!("Missing encrypted chunk: {}", chunk_hash))?;
++
++            // Set correct segment index
++            encrypted_data.segment_index = index as u64;
++            encrypted_segments.push(encrypted_data);
++        }
++
++        // Decrypt file
++        let decrypted_data = crypto.decrypt_file(&encrypted_segments)
++            .context("Failed to decrypt file")?;
++
++        // Verify content integrity
++        let computed_content_id = crypto.content_id(&decrypted_data);
++        let expected_content_id = ContentId::from_hex(
++            crate::crypto::HashAlgorithm::Blake3,
++            &metadata.encrypted_file_hash
++        ).context("Invalid content ID in encrypted file metadata")?;
++
++        if !crypto.verify_content(&decrypted_data, &expected_content_id) {
++            return Err(anyhow::anyhow!(
++                "Content verification failed for encrypted file: {}", file_id
++            ));
++        }
++
++        info!("Successfully retrieved and decrypted file: {}", file_id);
++        Ok(decrypted_data)
++    }
++
++    /// Check if a file exists in either storage backend
++    pub async fn file_exists(&self, file_id: &str) -> Result<(bool, bool)> {
++        let encrypted_exists = self.encrypted_storage.get_encrypted_file_metadata(file_id).await?.is_some();
++        let plaintext_exists = self.plaintext_storage.file_exists(file_id).await?;
++        Ok((plaintext_exists, encrypted_exists))
++    }
++
++    /// Get combined storage capacity information
++    pub async fn get_combined_capacity(&self) -> CombinedCapacityInfo {
++        let capacity = self.combined_capacity.read().await;
++        capacity.clone()
++    }
++
++    /// Get file capability for encrypted files
++    pub async fn get_file_capability(&self, capability_id: &str) -> Result<Option<FileCapability>> {
++        self.encrypted_storage.get_capability(capability_id).await
++    }
++
++    /// Grant access to an encrypted file by creating a new capability
++    pub async fn grant_file_access(
++        &self,
++        file_id: &str,
++        permissions: &[u8],
++        crypto: &ZephyrCrypto,
++    ) -> Result<String> {
++        let capability = FileCapability {
++            capability_id: self.generate_capability_id(),
++            file_id: file_id.to_string(),
++            encrypted_permissions: permissions.to_vec(),
++            encrypted_key_material: self.encrypt_key_material_for_capability(crypto)?,
++            expires_at: None,
++            created_at: std::time::SystemTime::now()
++                .duration_since(std::time::UNIX_EPOCH)?
++                .as_secs(),
++            signature: vec![], // TODO: Generate proper signature
++        };
++
++        let capability_id = capability.capability_id.clone();
++        self.encrypted_storage.store_capability(&capability).await?;
++
++        info!("Created file capability: {} for file: {}", capability_id, file_id);
++        Ok(capability_id)
++    }
++
++    /// Helper methods for encryption operations
++    fn encrypt_filename(&self, filename: &str, crypto: &ZephyrCrypto) -> Result<Vec<u8>> {
++        // TODO: Implement filename encryption
++        Ok(filename.as_bytes().to_vec())
++    }
++
++    fn encrypt_size_info(&self, size: usize, crypto: &ZephyrCrypto) -> Result<Vec<u8>> {
++        // TODO: Implement size info encryption
++        Ok(size.to_le_bytes().to_vec())
++    }
++
++    fn encrypt_content_verification(&self, content_id: &ContentId, crypto: &ZephyrCrypto) -> Result<Vec<u8>> {
++        // TODO: Implement content verification encryption
++        Ok(content_id.to_hex().as_bytes().to_vec())
++    }
++
++    async fn create_file_capability(&self, file_id: &str, crypto: &ZephyrCrypto) -> Result<FileCapability> {
++        let capability_id = self.generate_capability_id();
++
++        Ok(FileCapability {
++            capability_id,
++            file_id: file_id.to_string(),
++            encrypted_permissions: vec![0x01], // Basic read permission
++            encrypted_key_material: self.encrypt_key_material_for_capability(crypto)?,
++            expires_at: None,
++            created_at: std::time::SystemTime::now()
++                .duration_since(std::time::UNIX_EPOCH)?
++                .as_secs(),
++            signature: vec![], // TODO: Generate proper signature
++        })
++    }
++
++    fn encrypt_key_material_for_capability(&self, crypto: &ZephyrCrypto) -> Result<Vec<u8>> {
++        // TODO: Implement proper key material encryption for capabilities
++        crypto.get_capability().context("Failed to get capability key material")
++    }
++
++    fn generate_capability_id(&self) -> String {
++        use rand::Rng;
++        let mut rng = rand::thread_rng();
++        let bytes: [u8; 16] = rng.gen();
++        hex::encode(bytes)
++    }
++
++    async fn refresh_combined_capacity(&self) -> Result<()> {
++        let plaintext_capacity = self.plaintext_storage.get_capacity_info().await;
++        let encrypted_stats = self.encrypted_storage.get_encrypted_stats().await;
++
++        let total_used_space = plaintext_capacity.used_space + encrypted_stats.total_encrypted_size;
++        let total_files = plaintext_capacity.file_count + encrypted_stats.total_encrypted_files;
++        let total_chunks = plaintext_capacity.chunk_count + encrypted_stats.total_encrypted_chunks;
++
++        // Calculate combined efficiency (deduplication benefits)
++        let combined_efficiency = if total_used_space > 0 {
++            // This is a simplified calculation - in practice, we'd need more sophisticated metrics
++            (plaintext_capacity.efficiency_ratio + 1.0) / 2.0
++        } else {
++            1.0
++        };
++
++        let mut capacity = self.combined_capacity.write().await;
++        *capacity = CombinedCapacityInfo {
++            plaintext_capacity,
++            encrypted_stats,
++            total_used_space,
++            total_files,
++            total_chunks,
++            combined_efficiency,
++        };
++
++        debug!("Updated combined capacity: {} bytes used, {} files, {} chunks",
++               total_used_space, total_files, total_chunks);
++
++        Ok(())
++    }
++}
++
++#[cfg(test)]
++mod tests {
++    use super::*;
++    use tempfile::tempdir;
++    use crate::crypto::{CryptoParams, ZephyrCrypto};
++
++    #[tokio::test]
++    async fn test_enhanced_storage_manager_creation() {
++        let temp_dir = tempdir().unwrap();
++        let config = StorageConfig::default();
++
++        let manager = EnhancedStorageManager::new(temp_dir.path(), config).await.unwrap();
++        let capacity = manager.get_combined_capacity().await;
++
++        assert_eq!(capacity.total_used_space, 0);
++        assert_eq!(capacity.total_files, 0);
++        assert_eq!(capacity.total_chunks, 0);
++    }
++
++    #[tokio::test]
++    async fn test_plaintext_file_storage() {
++        let temp_dir = tempdir().unwrap();
++        let config = StorageConfig::default();
++        let manager = EnhancedStorageManager::new(temp_dir.path(), config).await.unwrap();
++
++        let file_id = "test-file-1";
++        let filename = "test.txt";
++        let data = b"Hello, ZephyrFS! This is a test file.";
++
++        // Store plaintext file
++        let result = manager.store_file_with_crypto(file_id, data, filename, None).await.unwrap();
++        assert!(!result.is_encrypted);
++        assert!(result.capability_id.is_none());
++
++        // Retrieve plaintext file
++        let (retrieved_data, is_encrypted) = manager.retrieve_file_with_crypto(file_id, None).await.unwrap().unwrap();
++        assert_eq!(retrieved_data, data);
++        assert!(!is_encrypted);
++    }
++
++    #[tokio::test]
++    async fn test_encrypted_file_storage() {
++        let temp_dir = tempdir().unwrap();
++        let config = StorageConfig::default();
++        let manager = EnhancedStorageManager::new(temp_dir.path(), config).await.unwrap();
++
++        // Create crypto context
++        let mut crypto = ZephyrCrypto::new();
++        crypto.init_from_password("test_password_123").unwrap();
++
++        let file_id = "encrypted-file-1";
++        let filename = "secret.txt";
++        let data = b"This is confidential data that should be encrypted.";
++
++        // Store encrypted file
++        let result = manager.store_file_with_crypto(file_id, data, filename, Some(&crypto)).await.unwrap();
++        assert!(result.is_encrypted);
++        assert!(result.capability_id.is_some());
++
++        // Retrieve encrypted file
++        let (retrieved_data, is_encrypted) = manager.retrieve_file_with_crypto(file_id, Some(&crypto)).await.unwrap().unwrap();
++        assert_eq!(retrieved_data, data);
++        assert!(is_encrypted);
++    }
++}