flcl_manual-flcl_commands-archive-comp-to-new-flam-encrypt-pwd

PWD

Synopsis

HELP:   Encryption using passwords
TYPE:   OBJECT
SYNTAX: PWD/PASSWORD(PROTECT=DATA/LIST/ALL,METHOD=OTP-PBKDF2-10000-SHA3-512,DATA/USER(),MEMBER/SEARCH/INDEX/MBR(),DIRECTORY/CONTENT())

Description

Archives can be protected using passwords. A password can be specified to protect data, member and directory segments of the archive against unauthorized access. You can specify a key derivation method and protection mode.

There are three basic access levels: DATA, MEMBER, DIRECTORY. Each of these has a set of up to three randomly generated keys that protect the respective types of archive segments. Assigning a password to one of these access levels determines which of the keysets gets encrypted to grant the desired access.

The three access levels are defined as follows, ordered from highest to lowest level:

DATA: Full access to everything, including directory (archive contents), member (search in encrypted member data) and all encrypted member data. This access level is required to write data to the archive. Has three encrypted keys.
MEMBER: Allows access to directory and member information. This is useful to allow third parties to search within the archive without allowing them to decrypt the actual data. Has two encrypted keys.
DIRECTORY: Only allows listing archive contents. Has one encrypted key.

Each of these access levels can be restricted further to only allow certain actions. For details, see the documentation of the RIGHTS object.

On archive creation, you need to specify at least one keyset with DATA access. Otherwise, noone would be able to read the data written to the archive.

Do not assign the same password to more than one access level as the access levels are cumulative. DATA access includes everything on the MEMBER access level which includes everything on the DIRECTORY level. To grant different access levels depending on which password is used, you can assign different passwords to two or more access levels.

The PROTECT parameter can be used to limit which of the three keys (data, member, directory) gets encrypted with the specified password. If the PROTECT parameter is not specified (or set to ALL), all of the (up to) three keys are protected. With PROTECT=DATA, only the data key is protected using the specified password, but the member and directory keys are not. This means that anyone can view the directory contents and compile search results without authentication, but not decrypt data segments. With PROTECT=LIST, everyone can list the members in the archive, but not perform search on encrypted members or access member data.

Use the PROTECT parameter with care. If the archive contains one valid keyset with a protection level other than ALL, access to the respective parts of the archive is granted without authentication.

Arguments

NUMBER: PROTECT=DATA/LIST/ALL - Select protection for the FLAM archive [ALL (data, member and directory segments)]
- DATA - Protect only data segments with secret keys and ensure access to member index (search) and directory (list) by default key
- LIST - Protect data segments and member segments with secret keys and ensure access to directory (list) by default key
- ALL - Protect data, member and directory segments (any) with secret keys (no directory listing without a secret key)
NUMBER: METHOD=OTP-PBKDF2-10000-SHA3-512 - Select method for passphrase derivation and data key encryption [OTP-PBKDF2-10000-SHA3-512]
- OTP-PBKDF2-10000-SHA3-512 - One time pad with PBKDF2 derived key value using 10000 iterations and SHA3-512 as hash function