implementing-aes-encryption-for-data-at-rest
AES (Advanced Encryption Standard) is a symmetric block cipher standardized by NIST (FIPS 197) used to protect classified and sensitive data. This skill covers implementing AES-256 encryption in GCM m
Best use case
implementing-aes-encryption-for-data-at-rest is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
AES (Advanced Encryption Standard) is a symmetric block cipher standardized by NIST (FIPS 197) used to protect classified and sensitive data. This skill covers implementing AES-256 encryption in GCM m
Teams using implementing-aes-encryption-for-data-at-rest should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/implementing-aes-encryption-for-data-at-rest/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How implementing-aes-encryption-for-data-at-rest Compares
| Feature / Agent | implementing-aes-encryption-for-data-at-rest | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
AES (Advanced Encryption Standard) is a symmetric block cipher standardized by NIST (FIPS 197) used to protect classified and sensitive data. This skill covers implementing AES-256 encryption in GCM m
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Implementing AES Encryption for Data at Rest ## Overview AES (Advanced Encryption Standard) is a symmetric block cipher standardized by NIST (FIPS 197) used to protect classified and sensitive data. This skill covers implementing AES-256 encryption in GCM mode for encrypting files and data stores at rest, including proper key derivation, IV/nonce management, and authenticated encryption. ## When to Use - When deploying or configuring implementing aes encryption for data at rest capabilities in your environment - When establishing security controls aligned to compliance requirements - When building or improving security architecture for this domain - When conducting security assessments that require this implementation ## Prerequisites - Familiarity with cryptography concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## Objectives - Implement AES-256-GCM encryption and decryption for files - Derive encryption keys from passwords using PBKDF2 and Argon2 - Manage initialization vectors (IVs) and nonces securely - Encrypt and decrypt entire directory trees - Implement authenticated encryption to detect tampering - Handle large files with streaming encryption ## Key Concepts ### AES Modes of Operation | Mode | Authentication | Parallelizable | Use Case | |------|---------------|----------------|----------| | GCM | Yes (AEAD) | Yes | Network data, file encryption | | CBC | No | Decrypt only | Legacy systems, disk encryption | | CTR | No | Yes | Streaming encryption | | CCM | Yes (AEAD) | No | IoT, constrained environments | ### Key Derivation Never use raw passwords as encryption keys. Always derive keys using: - **PBKDF2**: NIST-approved, widely supported (minimum 600,000 iterations as of 2024) - **Argon2id**: Winner of Password Hashing Competition, memory-hard - **scrypt**: Memory-hard, good alternative to Argon2 ### Nonce/IV Management - GCM requires a 96-bit (12-byte) nonce that must NEVER be reused with the same key - Generate nonces using `os.urandom()` (CSPRNG) - Store nonce alongside ciphertext (it is not secret) ## Workflow 1. Install the `cryptography` library: `pip install cryptography` 2. Generate or derive an encryption key 3. Create a random nonce for each encryption operation 4. Encrypt data using AES-256-GCM with the key and nonce 5. Store nonce + ciphertext + authentication tag together 6. For decryption, extract nonce, verify tag, and decrypt ## Encrypted File Format ``` [salt: 16 bytes][nonce: 12 bytes][ciphertext: variable][tag: 16 bytes] ``` ## Security Considerations - Always use authenticated encryption (GCM, CCM) to prevent tampering - Never reuse a nonce with the same key (catastrophic in GCM) - Use at least 256-bit keys for long-term data protection - Securely wipe keys from memory after use when possible - Rotate encryption keys periodically per organizational policy - For disk-level encryption, consider XTS mode (AES-XTS) ## Validation Criteria - [ ] AES-256-GCM encryption produces valid ciphertext - [ ] Decryption recovers original plaintext exactly - [ ] Authentication tag detects any ciphertext modification - [ ] Key derivation uses sufficient iterations/parameters - [ ] Nonces are never reused for the same key - [ ] Large files (>1GB) can be processed via streaming - [ ] Encrypted file format includes all necessary metadata