Add default key obfuscation

README.md

@@ -59,6 +59,7 @@ Works on x64 **Linux** , **NAS** solutions based on arm/arm64, **Windows** x64 a
     - Full permissions including destructive operations
   - Encrypted data viewing requires additional password
   - AES-256 keys can't be guessed in executables thanks to Nuitka Commercial compiler
+  - External AES-256 keys are obfuscated
 - Easy configuration via YAML file (or via GUI)
 - Remote automatic self upgrade capacity
   - Included upgrade server ready to run in production
@@ -236,6 +237,8 @@ We also compile our linux target on RHEL 7 in order to be compatible with reason
 arm and arm64 builds are compiled on Debian stretch for use with glibc > 2.24.
 Additionnaly, arm builds are compiled without GUI support since they're supposed to fit on smaller devices like NAS / Raspberries.
 
+On most Linux distributions, you might get your glibc version by running `find /usr -name "libc.so.6" -exec "{}" \;`
+
 ## Smart shield, antivirus and reputation
 
 Official binaries for Windows provided by NetInvent are signed with a certificate, allowing to gain trust and reputation in antivirus analysis.  

SECURITY.md

@@ -55,3 +55,7 @@ Also, when wrong password is entered, we should wait in order to reduce brute fo
 
 When using retention policies, we need to make sure that current system date is good, in order to avoid wrong retention deletions.  
 When set, an external NTP server is used to get the offset. If offset is high enough (10 min), we avoid executing the retention policies.
+
+# NPF-SEC-00011: Default AES key obfuscation
+
+Using obfuscation() symmetric function in order to not store the bare AES key.

npbackup/configuration.py

@@ -46,9 +46,12 @@ try:
     except ImportError:
         EARLIER_AES_KEY = None
 except ImportError:
+    # If no private keys are used, then let's use the public ones
     try:
         from npbackup.secret_keys import AES_KEY
+        from npbackup.obfuscation import obfuscation
 
+        AES_KEY = obfuscation(AES_KEY)
         IS_PRIV_BUILD = False
         try:
             from npbackup.secret_keys import EARLIER_AES_KEY

npbackup/key_management.py

@@ -8,6 +8,7 @@ __intname__ = "npbackup.get_key"
 
 import os
 from command_runner import command_runner
+from npbackup.obfuscation import obfuscation
 
 
 def get_aes_key():
@@ -32,4 +33,4 @@ def get_aes_key():
                 msg = f"Cannot run encryption key command: {output}"
                 return False, msg
             key = output
-    return key
+    return obfuscation(key)

npbackup/obfuscation.py

@@ -0,0 +1,20 @@
+#! /usr/bin/env python
+#  -*- coding: utf-8 -*-
+#
+# This file is part of npbackup
+
+__intname__ = "npbackup.obfuscation"
+
+
+# NPF-SEC-00011: Default AES key obfuscation
+
+
+def obfuscation(key: bytes) -> bytes:
+    """
+    Symmetric obfuscation of bytes
+    """
+    if key:
+        keyword = b"/*NPBackup 2024*/"
+        key_length = len(keyword)
+        return bytes(c ^ keyword[i % key_length] for i, c in enumerate(key))
+    return key