Skip to content

ROADMAP.md

Latest commit

 

History

History
157 lines (120 loc) · 8.11 KB

ROADMAP.md

File metadata and controls

157 lines (120 loc) · 8.11 KB

Roadmap-Hinweis: Vage Bullets ohne Akzeptanzkriterien in Checkbox-Tasks überführen. Format: - [ ] <Task> (Target: <Q/Jahr>).

User Encrypted Storage Plugin Roadmap

Current Status

v0.1.0 — All three FUTURE_ENHANCEMENTS items (stdin key delivery, Argon2id KDF, key rotation persistence) are implemented and tested. GocryptfsBackend quality is now ≥ 90/100; KeyRotationScheduler retains Production-Ready (100/100).

Completed ✅

  • GocryptfsBackendfork/execvp-based FUSE container lifecycle
  • Safe subprocess execution: executeCommandSafe() with fork/execvp
  • Stdin key delivery: executeCommandWithStdin() + deliverKeyViaStdin(); key passed via pipe to gocryptfs -passfile /dev/stdin; explicit_bzero clears pipe buffer; no key material written to /tmp
  • KeyDerivationService interface + Argon2idKeyDerivationService (m=65536, t=3, p=4, output=32 bytes); per-container salt in .themis_kdf_salt
  • GocryptfsBackend(KeyDerivationService*) constructor + resolveKey()
  • isMounted() via /proc/mounts (Linux) and mount output (macOS)
  • checkAvailability() — validates gocryptfs binary and /dev/fuse
  • KeyRotationScheduler — per-SecurityLevel rotation with background thread
  • IRotationStore + persistence: last_check_ms and interval_days written to store after each callback; state loaded on scheduleRotation()
  • shutdown() uses condition_variable for immediate thread wake
  • MultiLevelEncryptedStorage — HOT/WARM/COLD tier orchestration
  • 20 unit + integration tests (test_user_storage_features.cpp)
  • CI workflow (user-storage-encrypted-ci.yml)
  • Deprecated executeCommand() fully removed (v0.3.0); all call sites use executeCommandSafe()
  • reconcileStaleMounts() — scans /proc/mounts for orphaned FUSE mounts on startup; unmounts via fusermount -u / umount fallback; non-fatal; called from initialize()

In Progress [~]

  • [~] Integration tests: create → mount → write file → unmount → re-mount → verify file (Target: Q3 2026)

Planned Features

v0.1.0 — Hardening and Tests ✅ (2026-03-24)

  • Fix const_cast in createPasswordFile() — returns Result<std::string> (done)
  • Secure key delivery via stdin pipe instead of /tmp password file (done)
  • Argon2id KDF (Argon2idKeyDerivationService, m=65536/t=3/p=4) (done)
  • IRotationStore persistence for KeyRotationScheduler (done)
  • 20 unit tests (AC-SD, AC-KDF, AC-PRS, AC-GCF) (done)
  • Integration tests: create → mount → write file → unmount → re-mount → verify file (Target: Q3 2026)
  • Remove deprecated executeCommand() after confirming no external callers (v0.3.0)

v0.2.0 — Stale Mount Reconciliation ✅ (2026-03-25)

  • reconcileStaleMounts() — scans /proc/mounts for orphaned FUSE mounts, unmounts via fusermount -u / umount fallback, non-fatal (done)
  • Called from initialize() before initializeLevel() (done)
  • 5 StaleMountReconciliationTest tests (done)

v0.3.0 — Monitoring and Multi-User (Target: Q3 2026)

  • Prometheus metrics — StorageMetrics struct + MultiLevelEncryptedStorage::getMetricsText() (v0.3.0)
    • Metric families: user_storage_mounts_active (gauge), user_storage_mount_operations_total (counter, label: operation), user_storage_key_rotations_total (counter), user_storage_container_size_bytes (gauge)
    • Counters updated in mountLevel(), unmountLevel(), rotateKey(); recordKeyRotation() public for external callers
    • All atomic; thread-safe; overhead ≤ 0.1 ms per operation
  • Remove deprecated GocryptfsBackend::executeCommand() (v0.3.0)
    • Replaced all 3 call sites (checkAvailability, getBackendVersion, isMounted) with executeCommandSafe()
    • Removed declaration from gocryptfs_backend.hpp and implementation from gocryptfs_backend.cpp
  • Stale mount reconciliation on startup via /proc/mounts scan (Target: Q3 2026) → Implemented in v0.2.0: reconcileStaleMounts() scans for orphaned FUSE mounts; see v0.2.0 section above
  • Per-user container isolation: one encrypted dir per user_id (Target: Q1 2027)
  • Storage quota enforcement per container (Target: Q1 2027)

Implementation Phases

Phase 1: Design / API Contract ✅

  • Define GocryptfsBackend container lifecycle API
  • Define KeyRotationScheduler SecurityLevel → schedule mapping
  • Define MultiLevelEncryptedStorage tier model

Phase 2: Core Implementation ✅

  • executeCommandSafe() via fork/execvp
  • executeCommandWithStdin() + deliverKeyViaStdin() for stdin key delivery
  • KeyDerivationService + Argon2idKeyDerivationService (libargon2)
  • resolveKey() in GocryptfsBackend integrating KDF with per-container salt
  • IRotationStore interface + persistence in KeyRotationScheduler
  • isMounted() via /proc/mounts
  • KeyRotationScheduler::schedulerLoop() background thread with condition_variable

Phase 3: Error Handling & Edge Cases ✅

  • Already-mounted guard in mountContainer()
  • Not-mounted guard in unmountContainer()
  • _exit(127) in child on execvp failure
  • Exit code check in parent with error propagation
  • explicit_bzero clears pipe buffer after key write
  • Corrupted persisted rotation state is silently ignored

Phase 4: Tests ✅

  • 20 unit tests: stdin delivery, Argon2id KDF, IRotationStore persistence, GocryptfsBackend (done)
  • 5 stale mount reconciliation tests (done)
  • 12 v0.3.0 metric + deprecation tests (test_user_storage_v03_focused, USE-01..12) (done)
  • Integration tests (Target: Q3 2026)

Phase 5: Performance / Hardening ✅

  • Stdin key delivery eliminates /tmp key file window
  • Argon2id KDF: latency ≤ 200 ms on reference hardware (40 ms measured in CI)
  • condition_variable in scheduler enables immediate shutdown

Phase 6: Documentation & Acceptance ✅

  • README, ARCHITECTURE, AUDIT, CHANGELOG, ROADMAP, SECURITY, FUTURE_ENHANCEMENTS

Production Readiness Checklist

Area Status Notes
GocryptfsBackend core API create/mount/unmount/isMounted implemented
Safe subprocess fork/execvp; no shell injection possible
Stdin key delivery Pipe + explicit_bzero; no filesystem trace
Argon2id KDF Argon2idKeyDerivationService; m=65536, t=3, p=4
Key rotation persistence IRotationStore; JSON state per SecurityLevel
KeyRotationScheduler Production-Ready; condition_variable shutdown
Tests 20 v0.1.0 + 5 v0.2.0 stale-mount + 12 v0.3.0 metric tests
Prometheus metrics getMetricsText() — 4 families, std::atomic, thread-safe (v0.3.0)
executeCommand() removed All call sites migrated to executeCommandSafe() (v0.3.0)
CI user-storage-encrypted-ci.yml

Known Issues & Limitations

  • getBackendVersion() uses const_cast to call executeCommandSafe() on a const object (cosmetic; executeCommand() fully removed in v0.3.0).
  • Stale mount reconciliation on startup is planned but not yet implemented (FUTURE_ENHANCEMENTS §4).
  • Per-user container isolation and storage quota enforcement are planned for v0.3.0 / Q1 2027.

Latente Symbole (Unused-Functions-Audit)

Stand: 2026-04-20 – Quelle: src/UNUSED_FUNCTIONS_REPORT.md

✅ Aktiv (implementiert + externer Aufrufer bestätigt)

  • createContainer – Erstellt verschlüsselten Gocryptfs-Container; Plugin-Tests + impl vorhanden
  • mountContainer – Mounted einen Gocryptfs-Container; Tests + Bench vorhanden
  • unmountContainer – Unmountet einen Container; Bench vorhanden
  • isMounted – Prüft ob Container gemountet; genutzt in usb_volume_hardening.cpp
  • GocryptfsBackend – Backend-Implementierung für Gocryptfs-verschlüsselten Storage