Agent skill

implementing-aes-encryption-for-data-at-rest

AES (Advanced Encryption Standard) is a symmetric block cipher standardized by NIST (FIPS 197) used to protect classified and sensitive data. This skill covers implementing AES-256 encryption in GCM m

View SKILL.md on GitHub Repository
Stars 0
Forks 0

Install this agent skill to your Project

npx add-skill https://github.com/autohandai/community-skills/tree/main/implementing-aes-encryption-for-data-at-rest

SKILL.md

Implementing AES Encryption for Data at Rest

Overview

AES (Advanced Encryption Standard) is a symmetric block cipher standardized by NIST (FIPS 197) used to protect classified and sensitive data. This skill covers implementing AES-256 encryption in GCM mode for encrypting files and data stores at rest, including proper key derivation, IV/nonce management, and authenticated encryption.

Objectives

  • Implement AES-256-GCM encryption and decryption for files
  • Derive encryption keys from passwords using PBKDF2 and Argon2
  • Manage initialization vectors (IVs) and nonces securely
  • Encrypt and decrypt entire directory trees
  • Implement authenticated encryption to detect tampering
  • Handle large files with streaming encryption

Key Concepts

AES Modes of Operation

Mode Authentication Parallelizable Use Case
GCM Yes (AEAD) Yes Network data, file encryption
CBC No Decrypt only Legacy systems, disk encryption
CTR No Yes Streaming encryption
CCM Yes (AEAD) No IoT, constrained environments

Key Derivation

Never use raw passwords as encryption keys. Always derive keys using:

  • PBKDF2: NIST-approved, widely supported (minimum 600,000 iterations as of 2024)
  • Argon2id: Winner of Password Hashing Competition, memory-hard
  • scrypt: Memory-hard, good alternative to Argon2

Nonce/IV Management

  • GCM requires a 96-bit (12-byte) nonce that must NEVER be reused with the same key
  • Generate nonces using os.urandom() (CSPRNG)
  • Store nonce alongside ciphertext (it is not secret)

Implementation Steps

  1. Install the cryptography library: pip install cryptography
  2. Generate or derive an encryption key
  3. Create a random nonce for each encryption operation
  4. Encrypt data using AES-256-GCM with the key and nonce
  5. Store nonce + ciphertext + authentication tag together
  6. For decryption, extract nonce, verify tag, and decrypt

Encrypted File Format

[salt: 16 bytes][nonce: 12 bytes][ciphertext: variable][tag: 16 bytes]

Security Considerations

  • Always use authenticated encryption (GCM, CCM) to prevent tampering
  • Never reuse a nonce with the same key (catastrophic in GCM)
  • Use at least 256-bit keys for long-term data protection
  • Securely wipe keys from memory after use when possible
  • Rotate encryption keys periodically per organizational policy
  • For disk-level encryption, consider XTS mode (AES-XTS)

Validation Criteria

  • AES-256-GCM encryption produces valid ciphertext
  • Decryption recovers original plaintext exactly
  • Authentication tag detects any ciphertext modification
  • Key derivation uses sufficient iterations/parameters
  • Nonces are never reused for the same key
  • Large files (>1GB) can be processed via streaming
  • Encrypted file format includes all necessary metadata

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

autohandai/community-skills

mapping-mitre-attack-techniques

Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.

0 0
Explore
autohandai/community-skills

hunting-for-spearphishing-indicators

Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.

0 0
Explore
autohandai/community-skills

analyzing-malicious-url-with-urlscan

URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat

0 0
Explore
autohandai/community-skills

implementing-zero-standing-privilege-with-cyberark

Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.

0 0
Explore
autohandai/community-skills

implementing-pam-for-database-access

Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia

0 0
Explore
autohandai/community-skills

detecting-t1003-credential-dumping-with-edr

Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.

0 0
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results