How does Crocodile access my source code?
Crocodile stores the source code files that are part of reviews to provide a
fast user experience. Every file is encrypted with per file data encryption
keys. The data encryption keys are then encrypted with a master encryption key.
All cryptographic operations are performed using Google Tink, which is a
cryptographic library created by cryptographers at Google that is designed to be misuse resistant.
Files are encrypted using Stream AEAD using AES128_GCM_HKDF_4KB key type as recommended by Google.
The data encryption keys above are encrypted using AEAD with a master AES128 key.
So, um, what's the story with the master encryption key? Are the master keys in their own file?
E.g., if Crocodile gets hacked, can the hackers pull up everyone's reviews (and sources)? Or
does all this encryption keep it encrypted at rest and require something from the user
(e.g., their password) to derive the master key?
