Add encryption_algorithm setter for changing cipher on existing databases

- Add setter that accepts string or Cipher enum
- Automatically regenerates IV with correct size for new cipher
- Works on both KDBX3 and KDBX4 databases
- Add 4 tests for cipher setter functionality

Author: coreyleavitt

pykeepass/kdbx_parsing/__init__.py

@@ -8,6 +8,7 @@
     AesKdfConfig,
     Cipher,
     KdfAlgorithm,
+    IV_SIZES,
 )
 
 __all__ = [
@@ -20,4 +21,5 @@
     "AesKdfConfig",
     "Cipher",
     "KdfAlgorithm",
+    "IV_SIZES",
 ]

pykeepass/pykeepass.py

@@ -33,6 +33,7 @@
     AesKdfConfig,
     Cipher,
     KdfAlgorithm,
+    IV_SIZES,
 )
 from .xpath import attachment_xp, entry_xp, group_xp, path_xp
 
@@ -201,6 +202,18 @@ def encryption_algorithm(self):
         Can be one of 'aes256', 'chacha20', or 'twofish'."""
         return self.kdbx.header.value.dynamic_header.cipher_id.data
 
+    @encryption_algorithm.setter
+    def encryption_algorithm(self, value):
+        """Set encryption algorithm. Regenerates IV with correct size for new cipher."""
+        if isinstance(value, Cipher):
+            value = value.value
+        if value not in IV_SIZES:
+            raise ValueError(f"Invalid encryption algorithm: {value}. Must be one of {list(IV_SIZES.keys())}")
+        self.kdbx.header.value.dynamic_header.cipher_id.data = value
+        # Regenerate IV with correct size for new cipher
+        self.kdbx.header.value.dynamic_header.encryption_iv.data = os.urandom(IV_SIZES[value])
+        self._invalidate_header_cache()
+
     @property
     def kdf_algorithm(self):
         """`str`: key derivation algorithm used by database during decryption.

tests/tests.py

@@ -1584,6 +1584,64 @@ def test_argon2_variant_invalid_value(self):
                 kp.argon2_variant = 'invalid'
 
 
+class CipherSetterTests(unittest.TestCase):
+    """Tests for encryption_algorithm setter"""
+
+    def test_cipher_setter_kdbx4(self):
+        """Test changing cipher on KDBX4 database"""
+        import tempfile
+        with tempfile.NamedTemporaryFile(suffix='.kdbx', delete=False) as f:
+            db_path = f.name
+        try:
+            kp = create_database(db_path, password='testpass')
+            kp.add_entry(kp.root_group, 'Test Entry', 'user', 'secret123')
+            self.assertEqual(kp.encryption_algorithm, 'aes256')
+
+            kp.encryption_algorithm = 'chacha20'
+            kp.save()
+
+            kp2 = PyKeePass(db_path, password='testpass')
+            self.assertEqual(kp2.encryption_algorithm, 'chacha20')
+            entry = kp2.find_entries(title='Test Entry', first=True)
+            self.assertEqual(entry.password, 'secret123')
+        finally:
+            os.unlink(db_path)
+
+    def test_cipher_setter_kdbx3(self):
+        """Test changing cipher on KDBX3 database"""
+        import tempfile
+        with tempfile.NamedTemporaryFile(suffix='.kdbx', delete=False) as f:
+            db_path = f.name
+        try:
+            kp = create_database(db_path, password='testpass', version=3)
+            kp.add_entry(kp.root_group, 'Test Entry', 'user', 'secret123')
+            self.assertEqual(kp.encryption_algorithm, 'aes256')
+
+            kp.encryption_algorithm = 'twofish'
+            kp.save()
+
+            kp2 = PyKeePass(db_path, password='testpass')
+            self.assertEqual(kp2.encryption_algorithm, 'twofish')
+            entry = kp2.find_entries(title='Test Entry', first=True)
+            self.assertEqual(entry.password, 'secret123')
+        finally:
+            os.unlink(db_path)
+
+    def test_cipher_setter_with_enum(self):
+        """Test setting cipher using Cipher enum"""
+        with BytesIO() as stream:
+            kp = create_database(stream, password='testpass')
+            kp.encryption_algorithm = Cipher.CHACHA20
+            self.assertEqual(kp.encryption_algorithm, 'chacha20')
+
+    def test_cipher_setter_invalid_value(self):
+        """Test that invalid cipher raises error"""
+        with BytesIO() as stream:
+            kp = create_database(stream, password='testpass')
+            with self.assertRaises(ValueError):
+                kp.encryption_algorithm = 'invalid'
+
+
 class KDBX3CreateDatabaseTests(unittest.TestCase):
     """Tests for KDBX3 database creation"""