Add CryptoOptions.GenerateSalt() and DeriveKey() helpers; fix encryption documentation#128
Conversation
…ion docs - Add CryptoOptions.GenerateSalt() returning 32 cryptographically random bytes - Add CryptoOptions.DeriveKey(passphrase, salt, iterations) for external key derivation - Update README.md encryption section with correct namespace (BLite.Core.Encryption), simple passphrase examples, DocumentDbContext pattern, and advanced salt-file workflow - Update doc comments to remove OWASP year reference - Add 8 new tests covering the new static helpers Fixes #127
|
@copilot the documentation mentioned is the one published in the public website (please see https://github.com/EntglDb/BLite.Website) we'd rather check if there are other wrong assumptions in the documentation and plan the fix in the source code (if makes sense) or open an issue in the documentation repo |
I've reviewed the BLite.Website docs page by page against the source code. Here's the full picture: Source code fixes applied in this PR
Issues to track in BLite.Website
|
There was a problem hiding this comment.
Pull request overview
This PR aligns the published encryption documentation with the actual BLite.Core.Encryption API by adding the missing CryptoOptions.GenerateSalt() and CryptoOptions.DeriveKey() helpers and updating the README encryption guidance accordingly.
Changes:
- Add
CryptoOptions.GenerateSalt()andCryptoOptions.DeriveKey(...)helpers and corresponding unit tests. - Rewrite/expand README encryption section with correct namespace and multiple usage modes (simple passphrase, salt-file workflow, master-key mode).
- Update WAL encryption tests to use
async Task+awaitinstead of blocking on async calls.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| tests/BLite.Tests/EncryptionTests.cs | Adds coverage for the new CryptoOptions helpers and modernizes WAL tests to be properly async. |
| src/BLite.Core/Encryption/CryptoOptions.cs | Introduces GenerateSalt() and DeriveKey() and updates KDF documentation wording. |
| src/BLite.Core/Collections/DocumentCollection.cs | Changes retention-policy setter visibility and updates its XML docs. |
| README.md | Rewrites the encryption documentation with corrected namespace and new helper-based examples. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| /// <summary> | ||
| /// Generates a cryptographically random 32-byte salt suitable for use with | ||
| /// <see cref="DeriveKey(string, byte[])"/> or manual PBKDF2 key derivation via | ||
| /// <see cref="System.Security.Cryptography.Rfc2898DeriveBytes"/>. | ||
| /// </summary> |
| public static byte[] DeriveKey(string passphrase, byte[] salt, int iterations = 600_000) | ||
| { | ||
| if (string.IsNullOrEmpty(passphrase)) | ||
| throw new ArgumentNullException(nameof(passphrase)); | ||
| if (salt is null || salt.Length < 16) | ||
| throw new ArgumentException("Salt must be at least 16 bytes.", nameof(salt)); | ||
| if (iterations < 1) | ||
| throw new ArgumentOutOfRangeException(nameof(iterations), "Iterations must be at least 1."); | ||
|
|
||
| return KeyDerivation.DeriveKeyPbkdf2(passphrase, salt, iterations); | ||
| } |
| /// <summary> | ||
| /// Configures a generalized retention policy for this collection. | ||
| /// The policy is persisted in collection metadata and survives engine restarts. | ||
| /// Called internally from <see cref="DocumentDbContext"/> when applying builder configuration. | ||
| /// Can be called directly on the collection or via the model builder in | ||
| /// <see cref="DocumentDbContext"/> configuration. | ||
| /// </summary> | ||
| internal void SetRetentionPolicy(RetentionPolicy policy) | ||
| /// <param name="policy">The retention policy to apply. Must not be null.</param> | ||
| public void SetRetentionPolicy(RetentionPolicy policy) |
The published encryption docs referenced
using BLite.Core.Crypto;(wrong namespace),CryptoOptions.GenerateSalt(), andCryptoOptions.DeriveKey()— none of which existed inBLite.Core5.0.2.API additions (
CryptoOptions)GenerateSalt()— static, returnsbyte[32]of cryptographically random bytes viaRandomNumberGenerator.FillDeriveKey(string passphrase, byte[] salt, int iterations = 600_000)— static PBKDF2-SHA256 wrapper; result is suitable forCryptoOptions.FromMasterKey(key)These make the documented "external salt file" pattern functional:
README encryption section rewrite
using BLite.Core.Encryption;)new CryptoOptions("passphrase")with salt auto-managed in the 64-byte file header; no salt file neededDocumentDbContextwith encryption example