Add encryption_algorithm and kdf_algorithm setters

Resolves libkeepass#233 - adds the ability to change encryption
cipher and KDF algorithm on existing databases.

- encryption_algorithm setter: change cipher (aes256, chacha20, twofish)
  with automatic IV regeneration for correct size
- kdf_algorithm setter: change KDF on KDBX4 (argon2id, argon2d, aeskdf)
  with new salt generation and default parameters
- Add build_kdf_parameters_aeskdf helper for AES-KDF parameter structure
- Normalize kdf_algorithm getter to return 'argon2d' instead of 'argon2'
- Add comprehensive tests for both setters

Author: coreyleavitt

pykeepass/kdbx_parsing/__init__.py

@@ -4,10 +4,13 @@
     build_kdbx_structure,
     build_kdbx3_structure,
     build_kdbx4_structure,
+    build_kdf_parameters_argon2,
+    build_kdf_parameters_aeskdf,
     Argon2Config,
     AesKdfConfig,
     Cipher,
     KdfAlgorithm,
+    IV_SIZES,
 )
 
 __all__ = [
@@ -16,8 +19,11 @@
     "build_kdbx_structure",
     "build_kdbx3_structure",
     "build_kdbx4_structure",
+    "build_kdf_parameters_argon2",
+    "build_kdf_parameters_aeskdf",
     "Argon2Config",
     "AesKdfConfig",
     "Cipher",
     "KdfAlgorithm",
+    "IV_SIZES",
 ]

pykeepass/kdbx_parsing/builder.py

@@ -296,6 +296,26 @@ def build_kdf_parameters_argon2(kdf: Argon2Config, salt: bytes) -> Container:
     )
 
 
+def build_kdf_parameters_aeskdf(kdf: AesKdfConfig, salt: bytes) -> Container:
+    """Build KDBX4 KDF parameters VariantDictionary for AES-KDF.
+
+    Args:
+        kdf: AES-KDF configuration
+        salt: 32-byte random salt
+
+    Returns:
+        Container with VariantDictionary structure.
+    """
+    return Container(
+        version=b'\x00\x01',
+        dict={
+            '$UUID': Container(type=VD_BYTES, key='$UUID', value=kdf_uuids['aeskdf'], next_byte=VD_UINT64),
+            'R': Container(type=VD_UINT64, key='R', value=kdf.rounds, next_byte=VD_BYTES),
+            'S': Container(type=VD_BYTES, key='S', value=salt, next_byte=0x00),
+        }
+    )
+
+
 # -------------------- KDBX Structure Builders --------------------
 
 def build_kdbx4_structure(

pykeepass/pykeepass.py

@@ -29,10 +29,13 @@
     KDBX,
     kdf_uuids,
     build_kdbx_structure,
+    build_kdf_parameters_argon2,
+    build_kdf_parameters_aeskdf,
     Argon2Config,
     AesKdfConfig,
     Cipher,
     KdfAlgorithm,
+    IV_SIZES,
 )
 from .xpath import attachment_xp, entry_xp, group_xp, path_xp
 
@@ -196,26 +199,61 @@ def version(self):
         )
 
     @property
-    def encryption_algorithm(self):
-        """`str`: encryption algorithm used by database during decryption.
-        Can be one of 'aes256', 'chacha20', or 'twofish'."""
+    def encryption_algorithm(self) -> str:
+        """Encryption algorithm used by database. One of the Cipher enum values."""
         return self.kdbx.header.value.dynamic_header.cipher_id.data
 
+    @encryption_algorithm.setter
+    def encryption_algorithm(self, value: Cipher | str) -> None:
+        """Set encryption algorithm. Generates new IV with appropriate size."""
+        cipher = str(Cipher(value))
+        self.kdbx.header.value.dynamic_header.cipher_id.data = cipher
+        self.kdbx.header.value.dynamic_header.encryption_iv.data = os.urandom(IV_SIZES[cipher])
+        self._invalidate_header_cache()
+
     @property
-    def kdf_algorithm(self):
-        """`str`: key derivation algorithm used by database during decryption.
-        Can be one of 'aeskdf', 'argon2', or 'argon2id'"""
+    def kdf_algorithm(self) -> str:
+        """KDF algorithm used by database. One of the KdfAlgorithm enum values."""
         if self.version == (3, 1):
             return 'aeskdf'
         elif self.version == (4, 0):
             kdf_parameters = self.kdbx.header.value.dynamic_header.kdf_parameters.data.dict
             if kdf_parameters['$UUID'].value == kdf_uuids['argon2']:
-                return 'argon2'
+                return 'argon2d'
             elif kdf_parameters['$UUID'].value == kdf_uuids['argon2id']:
                 return 'argon2id'
             elif kdf_parameters['$UUID'].value == kdf_uuids['aeskdf']:
                 return 'aeskdf'
 
+    @kdf_algorithm.setter
+    def kdf_algorithm(self, value: KdfAlgorithm | str) -> None:
+        """Set the KDF algorithm for the database. KDBX4 only.
+
+        Note:
+            Generates new KDF salt. For Argon2, uses default parameters.
+            For AES-KDF, uses default rounds. Adjust parameters after setting.
+        """
+        if self.version != (4, 0):
+            raise ValueError("KDF algorithm can only be changed on KDBX4 databases")
+
+        # Normalize value
+        kdf_str = str(value)
+        if kdf_str == 'argon2':
+            kdf_str = 'argon2d'  # Normalize legacy name
+
+        kdf = KdfAlgorithm(kdf_str)
+        salt = os.urandom(32)
+
+        if kdf in (KdfAlgorithm.ARGON2ID, KdfAlgorithm.ARGON2D):
+            config = Argon2Config(variant=kdf)
+            new_params = build_kdf_parameters_argon2(config, salt)
+        else:
+            config = AesKdfConfig()
+            new_params = build_kdf_parameters_aeskdf(config, salt)
+
+        self.kdbx.header.value.dynamic_header.kdf_parameters.data = new_params
+        self._invalidate_header_cache()
+
     def _get_kdf_parameters(self):
         """Get KDF parameters dict, raising error if not KDBX4 with Argon2."""
         if self.version != (4, 0):

tests/tests.py

@@ -1261,20 +1261,20 @@ def test_open_save(self):
         ]
         kdf_algorithms = [
             'aeskdf',
-            'argon2',
+            'argon2d',
             'aeskdf',
-            'argon2',
-            'argon2',
-            'argon2',
+            'argon2d',
+            'argon2d',
+            'argon2d',
             'aeskdf',
-            'argon2',
+            'argon2d',
             'aeskdf',
-            'argon2',
-            'argon2',
-            'argon2',
+            'argon2d',
+            'argon2d',
+            'argon2d',
             'argon2id',
-            'argon2',
-            'argon2',
+            'argon2d',
+            'argon2d',
         ]
         versions = [
             (3, 1),
@@ -1455,7 +1455,7 @@ def test_create_database_argon2d(self):
                 password='testpass',
                 kdf=Argon2Config(variant=KdfAlgorithm.ARGON2D)
             )
-            self.assertEqual(kp.kdf_algorithm, 'argon2')
+            self.assertEqual(kp.kdf_algorithm, 'argon2d')
 
     def test_create_database_entries_persist(self):
         """Test that entries persist after save/reload"""
@@ -1572,7 +1572,7 @@ def test_argon2_variant_getter_setter(self):
 
             kp2 = PyKeePass(db_path, password='testpass')
             self.assertEqual(kp2.argon2_variant, 'argon2d')
-            self.assertEqual(kp2.kdf_algorithm, 'argon2')
+            self.assertEqual(kp2.kdf_algorithm, 'argon2d')
         finally:
             os.unlink(db_path)
 
@@ -1584,6 +1584,126 @@ def test_argon2_variant_invalid_value(self):
                 kp.argon2_variant = 'invalid'
 
 
+class EncryptionAlgorithmSetterTests(unittest.TestCase):
+    """Tests for encryption_algorithm setter (resolves libkeepass/pykeepass#233)"""
+
+    def test_encryption_algorithm_setter_kdbx4(self):
+        """Test changing cipher on KDBX4 database"""
+        import tempfile
+        with tempfile.NamedTemporaryFile(suffix='.kdbx', delete=False) as f:
+            db_path = f.name
+        try:
+            kp = create_database(db_path, password='testpass')
+            kp.add_entry(kp.root_group, 'Test Entry', 'user', 'secret123')
+            self.assertEqual(kp.encryption_algorithm, 'aes256')
+
+            kp.encryption_algorithm = 'chacha20'
+            kp.save()
+
+            kp2 = PyKeePass(db_path, password='testpass')
+            self.assertEqual(kp2.encryption_algorithm, 'chacha20')
+            entry = kp2.find_entries(title='Test Entry', first=True)
+            self.assertEqual(entry.password, 'secret123')
+        finally:
+            os.unlink(db_path)
+
+    def test_encryption_algorithm_setter_kdbx3(self):
+        """Test changing cipher on KDBX3 database"""
+        import tempfile
+        with tempfile.NamedTemporaryFile(suffix='.kdbx', delete=False) as f:
+            db_path = f.name
+        try:
+            kp = create_database(db_path, password='testpass', version=3)
+            kp.add_entry(kp.root_group, 'Test Entry', 'user', 'secret123')
+            self.assertEqual(kp.encryption_algorithm, 'aes256')
+
+            kp.encryption_algorithm = 'twofish'
+            kp.save()
+
+            kp2 = PyKeePass(db_path, password='testpass')
+            self.assertEqual(kp2.encryption_algorithm, 'twofish')
+            entry = kp2.find_entries(title='Test Entry', first=True)
+            self.assertEqual(entry.password, 'secret123')
+        finally:
+            os.unlink(db_path)
+
+    def test_encryption_algorithm_setter_with_enum(self):
+        """Test setting cipher using Cipher enum"""
+        with BytesIO() as stream:
+            kp = create_database(stream, password='testpass')
+            kp.encryption_algorithm = Cipher.CHACHA20
+            self.assertEqual(kp.encryption_algorithm, 'chacha20')
+
+    def test_encryption_algorithm_setter_invalid(self):
+        """Test that invalid cipher raises error"""
+        with BytesIO() as stream:
+            kp = create_database(stream, password='testpass')
+            with self.assertRaises(ValueError):
+                kp.encryption_algorithm = 'invalid'
+
+
+class KdfAlgorithmSetterTests(unittest.TestCase):
+    """Tests for kdf_algorithm setter (resolves libkeepass/pykeepass#233)"""
+
+    def test_kdf_algorithm_setter_to_aeskdf(self):
+        """Test switching from Argon2 to AES-KDF on KDBX4"""
+        import tempfile
+        with tempfile.NamedTemporaryFile(suffix='.kdbx', delete=False) as f:
+            db_path = f.name
+        try:
+            kp = create_database(db_path, password='testpass')
+            kp.add_entry(kp.root_group, 'Test Entry', 'user', 'secret123')
+            self.assertEqual(kp.kdf_algorithm, 'argon2id')
+
+            kp.kdf_algorithm = 'aeskdf'
+            kp.save()
+
+            kp2 = PyKeePass(db_path, password='testpass')
+            self.assertEqual(kp2.kdf_algorithm, 'aeskdf')
+            entry = kp2.find_entries(title='Test Entry', first=True)
+            self.assertEqual(entry.password, 'secret123')
+        finally:
+            os.unlink(db_path)
+
+    def test_kdf_algorithm_setter_to_argon2d(self):
+        """Test switching to Argon2d on KDBX4"""
+        import tempfile
+        with tempfile.NamedTemporaryFile(suffix='.kdbx', delete=False) as f:
+            db_path = f.name
+        try:
+            kp = create_database(db_path, password='testpass')
+            self.assertEqual(kp.kdf_algorithm, 'argon2id')
+
+            kp.kdf_algorithm = 'argon2d'
+            kp.save()
+
+            kp2 = PyKeePass(db_path, password='testpass')
+            self.assertEqual(kp2.kdf_algorithm, 'argon2d')
+        finally:
+            os.unlink(db_path)
+
+    def test_kdf_algorithm_setter_with_enum(self):
+        """Test setting KDF using KdfAlgorithm enum"""
+        with BytesIO() as stream:
+            kp = create_database(stream, password='testpass')
+            kp.kdf_algorithm = KdfAlgorithm.AES_KDF
+            self.assertEqual(kp.kdf_algorithm, 'aeskdf')
+
+    def test_kdf_algorithm_setter_invalid_on_kdbx3(self):
+        """Test that changing KDF on KDBX3 raises error"""
+        with BytesIO() as stream:
+            kp = create_database(stream, password='testpass', version=3)
+            with self.assertRaises(ValueError):
+                kp.kdf_algorithm = 'argon2id'
+
+    def test_kdf_algorithm_setter_invalid_value(self):
+        """Test that invalid KDF raises error"""
+        with BytesIO() as stream:
+            kp = create_database(stream, password='testpass')
+            with self.assertRaises(ValueError):
+                kp.kdf_algorithm = 'invalid'
+
+
 class KDBX3CreateDatabaseTests(unittest.TestCase):
     """Tests for KDBX3 database creation"""