fix(backups): change file encryption from aes256 to chacha20

vatesfr · Jan 9, 2025 · 88aab6f · 88aab6f
1 parent 93a11cf
commit 88aab6f
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/@xen-orchestra/fs/src/_encryptor.js b/@xen-orchestra/fs/src/_encryptor.js
@@ -2,7 +2,8 @@ const { pipeline } = require('node:stream')
 const { readChunk } = require('@vates/read-chunk')
 const crypto = require('crypto')
 
-export const DEFAULT_ENCRYPTION_ALGORITHM = 'aes-256-gcm'
+const CHACHA20 = 'chacha20-poly1305'
+export const DEFAULT_ENCRYPTION_ALGORITHM = CHACHA20
 export const UNENCRYPTED_ALGORITHM = 'none'
 
 export function isLegacyEncryptionAlgorithm(algorithm) {
@@ -33,7 +34,8 @@ function getEncryptor(algorithm = DEFAULT_ENCRYPTION_ALGORITHM, key) {
     throw error
   }
   const { ivLength, mode } = info
-  const authTagLength = ['gcm', 'ccm', 'ocb'].includes(mode) ? 16 : 0
+  const authTagLength = ['gcm', 'ccm', 'ocb'].includes(mode) || algorithm === CHACHA20
+    ? 16 : 0
 
   function encryptStream(input) {
     return pipeline(

diff --git a/CHANGELOG.unreleased.md b/CHANGELOG.unreleased.md
@@ -15,6 +15,8 @@
 
 > Users must be able to say: “I had this issue, happy to know it's fixed”
 
+- [Backup] Fix "trying to add data in unsupported state" error on encrypted files size greater than 64GB
+
 ### Packages to release
 
 > When modifying a package, add it here with its release type.
@@ -31,4 +33,6 @@
 
 <!--packages-start-->
 
+- @xen-orchestra/fs patch
+
 <!--packages-end-->