# File Formats

## Encrypted File Format

[Noise Handshake Message] - 132 bytes (4 prologue + 128 noise handshake)
4  bytes : prologue is 101, 103, 107 + Version 0x10 (65 67 6B 10)
32 bytes : ephemeral public key
48 bytes : chapoly encrypted 32 byte public key (+ 16 byte tag)
48 bytes : chapoly encrypted 32 byte symmetric key payload (+ 16 byte tag)

[Encrypted Plaintext Chunks] (overhead of 32)
8  bytes : chunk number
4  bytes : last chunk indicator
4  bytes : ciphertext length
X  bytes : ciphertext
16 bytes : ciphertext tag

Chunks may repeat many times. Chunks are 64KiB by default. Chunk number
increases sequentially and is used as the nonce.
Last chunk indicator is set to 1 for the last chunk in the message.
Ciphertext length and last chunk indicator are included in the additional
authenticated data.


## Password Derived Symmetric Encryption

[HEADER] - 36 bytes
4  bytes : 101, 103, 107 + Version 0x20 (65 67 6B 20)
32 bytes : salt

[Encrypted Plaintext Chunks] (overhead of 32)
8  bytes : chunk number
4  bytes : last chunk indicator
4  bytes : ciphertext length
X  bytes : ciphertext
16 bytes : ciphertext tag

Chunks may repeat many times. Chunks are 64KiB by default.
Last chunk indicator is set to 1 for the last chunk in the message.
Header magic number, chunk number, and last chunk indicator are included in
the additional authenticated data for each chunk.


## Encrypted Private Key Format

[HEADER] - 18 bytes
2  bytes : Version 1 (00 01)
16 bytes : salt

[Encrypted Plaintext] - (Overhead of 16)
32 bytes : ciphertext of private key
16 bytes : ciphertext tag

The 2 byte version header is included as additional authenticated data.
Salt is not included as AAD because it gets included as part of key
derivation. The chapoly nonce is fixed at zero because the scrypt salt is
random, resulting in a fresh key each time.
