Skip to content

Encryption

Overview

PZip uses AES-GCM with 256-bit keys, 96-bit nonces (by default), and 128-bit authentication tags. Keys are derived using one of the following, based on the source key material:

  • PBKDF2-SHA256 with a configurable iteration count (currently 200,000) if the key material is a password
  • HKDF-SHA256 if the key material is a random key

PZip also has the option to use raw keys with no derivation.

The PZip format is essentially an implemetation of the STREAM protocol, a nonce-based OAE scheme.

A random 96-bit nonce is generated by default for each file, but may also be supplied via the Python interface for systems that can more strongly guarantee uniqueness. When deriving keys, a random 256-bit salt is generated by default, but may also be provided manually.

The ciphertext of a PZip file is split into some number of blocks. Each block is independently encrypted, prefixed with the length of the block (and a set of flags), and has a 128-bit AES-GCM authentication tag appended to the end. The nonce for each block (Nb) is calculated as follows, for block number B and original file nonce N:

  1. B is converted to a 32-bit big endian unsigned integer, and left padded with zero bits to be the same length as N.
  2. N is XOR-ed with B to get the block nonce, Nb.