CREAM(5) File Formats Manual CREAM(5)

creamEncrypted stream data format

cream data is the concatenation of a 16 bytes salt, and a flow of encrypted data.

Data is encrypted with a key derivated from a and a .

XChaCha20-Poly1305 is used to encrypt the data. It is a symetrical cipher, so key used to encrypt the data must be used to decrypt it.

In order to encrypt, or decrypt a continuous stream, the input data is split in chunks, and a new key is generated to encrypt it. The smaller chunks are, the more keys are computed for a given amount of data.

To lower computation cycles, or accomodate memory-constrained system, the buffer size can be changed. However, this buffer size must be the same for both encryption and decryption, otherwise resulting in a failure to decrypt the data.

Argon2id is used to derivate the key from a password + salt combo.

The master password must be known to both parties, and the salt is sent as the first 16 bytes of the stream. This means that the receiver must only know the password to decrypt the data.

Computing an Argon2id key takes multiple factor into accounts:

Defines the amount of computation realized and therefore the execution time, given in number of iterations
Defines the memory usage, given in kibibytes.
Defines the number of parallel threads.

Changing these parameters will affect the speed at which the key will be computed, but will also change the key itself.

For use as a symmetric key, you will want to use the exact same parameters for both encryption and decryption, otherwise decryption of the stream will be impossible.


Willy Goiffon <>

2022-09-15 POSIX.1-2017