Descriptors encryption¶
To prevent malicious use of descriptors stolen from api or db descriptor encryption feature can be enabled. If enabled, only encrypted descriptor data will be kept in the database. Descriptors that are passed to save without encryption will be encrypted.
Encrypted descriptors are stored and received in following format: <encrypted_descriptor><tag><nonce><hash>
encrypted_descriptor - encrypted descriptor
tag - data used from message authentication
nonce - encryption initialization vector
hash - key + algorithm hash sum
Descriptors that have already been encrypted before saving must correspond with this format. Only descriptors that were encrypted with the current key and algorithm can be received from the database. When updating face descriptors, all descriptors with different key or algorithm will be deleted. It is assumed that all descriptors can be encrypted with only one key + algorithm pair at once.