UNPKG

age-encryption

Version:

<p align="center"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://github.com/FiloSottile/age/blob/main/logo/logo_white.svg"> <source media="(prefers-color-scheme: light)" srcset="https://github.com/FiloSottile/a

github.com/FiloSottile/typage

FiloSottile/typage

160 lines (159 loc) 7.02 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
import { Stanza } from "./format.js"; export * as armor from "./armor.js"; export { Stanza }; /** * An identity that can be used to decrypt a file key. * * This is a low-level interface that can be used to implement custom identity * types, such as plugins or remote APIs and secrets managers. Most users won't * need to interact with this directly, and should instead pass a string encoding * of a standard identity (`AGE-SECRET-KEY-1...`) to {@link Decrypter.addIdentity}. */ export interface Identity { /** * Decrypt a file key, if possible, using this identity. This function is * called during {@link Decrypter.decrypt}, once for each file. * * @param stanzas - All stanzas from the encrypted file's header. It is the * identity's responsibility to identify the stanzas it's expecting, if any. * * @returns The random file key, if this identity can decrypt it, or `null` * if none of the stanzas matched this identity. * * @throws `unwrapFileKey` must throw only if it identifies a stanza that * matches this identity, but the stanza is malformed or invalid, or * decryption fails due to external factors (e.g. network errors). For * example, it must return `null`, not throw, if the file is encrypted with * a different e.g. key. */ unwrapFileKey(stanzas: Stanza[]): Uint8Array | null | Promise<Uint8Array | null>; } /** * A recipient that can be used to encrypt a file key. * * This is a low-level interface that can be used to implement custom recipient * types. Most users won't need to interact with this directly, and should * instead pass a string encoding of a standard recipient (`age1...`) to * {@link Encrypter.addRecipient}. */ export interface Recipient { /** * Encrypt a file key for this recipient. This function is called during * {@link Encrypter.encrypt}, once for each file. * * @param fileKey - The random file key to encrypt. * * @returns One or more stanzas that will be included (unencrypted) in the * encrypted file's header. The corresponding identity (which may be the * built-in X25519 or scrypt identity, or a custom {@link Identity}) must be * able to identify these stanzas, and use them to decrypt the file key. */ wrapFileKey(fileKey: Uint8Array): Stanza[] | Promise<Stanza[]>; } export { generateIdentity, identityToRecipient } from "./recipients.js"; /** * Encrypts a file using the given passphrase or recipients. * * First, call {@link Encrypter.setPassphrase} to set a passphrase for symmetric * encryption, or {@link Encrypter.addRecipient} to specify one or more * recipients. Then, call {@link Encrypter.encrypt} one or more times to encrypt * files using the configured passphrase or recipients. */ export declare class Encrypter { private passphrase; private scryptWorkFactor; private recipients; /** * Set the passphrase to encrypt the file(s) with. This method can only be * called once, and can't be called if {@link Encrypter.addRecipient} has * been called. * * The passphrase is passed through the scrypt key derivation function, but * it needs to have enough entropy to resist offline brute-force attacks. * You should use at least 8-10 random alphanumeric characters, or 4-5 * random words from a list of at least 2000 words. * * @param s - The passphrase to encrypt the file with. */ setPassphrase(s: string): void; /** * Set the scrypt work factor to use when encrypting the file(s) with a * passphrase. The default is 18. Using a lower value will require stronger * passphrases to resist offline brute-force attacks. * * @param logN - The base-2 logarithm of the scrypt work factor. */ setScryptWorkFactor(logN: number): void; /** * Add a recipient to encrypt the file(s) for. This method can be called * multiple times to encrypt the file(s) for multiple recipients. * * @param s - The recipient to encrypt the file for. Either a string * beginning with `age1...` or an object implementing the {@link Recipient} * interface. */ addRecipient(s: string | Recipient): void; /** * Encrypt a file using the configured passphrase or recipients. * * @param file - The file to encrypt. If a string is passed, it will be * encoded as UTF-8. * * @returns A promise that resolves to the encrypted file as a Uint8Array. */ encrypt(file: Uint8Array | string): Promise<Uint8Array>; } /** * Decrypts a file using the given identities. * * First, call {@link Decrypter.addPassphrase} to set a passphrase for symmetric * decryption, and/or {@link Decrypter.addIdentity} to specify one or more * identities. All passphrases and/or identities are tried in parallel for each * file. Then, call {@link Decrypter.decrypt} one or more times to decrypt files * using the configured passphrase and/or identities. */ export declare class Decrypter { private identities; /** * Add a passphrase to decrypt password-encrypted file(s) with. This method * can be called multiple times to try multiple passphrases. * * @param s - The passphrase to decrypt the file with. */ addPassphrase(s: string): void; /** * Add an identity to decrypt file(s) with. This method can be called * multiple times to try multiple identities. * * @param s - The identity to decrypt the file with. Either a string * beginning with `AGE-SECRET-KEY-1...`, an X25519 private * {@link https://developer.mozilla.org/en-US/docs/Web/API/CryptoKey | CryptoKey} * object, or an object implementing the {@link Identity} interface. * * A CryptoKey object must have * {@link https://developer.mozilla.org/en-US/docs/Web/API/CryptoKey/type | type} * `private`, * {@link https://developer.mozilla.org/en-US/docs/Web/API/CryptoKey/algorithm | algorithm} * `{name: 'X25519'}`, and * {@link https://developer.mozilla.org/en-US/docs/Web/API/CryptoKey/usages | usages} * `["deriveBits"]`. For example: * ```js * const keyPair = await crypto.subtle.generateKey({ name: "X25519" }, false, ["deriveBits"]) * decrypter.addIdentity(key.privateKey) * ``` */ addIdentity(s: string | CryptoKey | Identity): void; /** * Decrypt a file using the configured passphrases and/or identities. * * @param file - The file to decrypt. * @param outputFormat - The format to return the decrypted file in. If * `"text"` is passed, the file's plaintext will be decoded as UTF-8 and * returned as a string. Optional. It defaults to `"uint8array"`. * * @returns A promise that resolves to the decrypted file. */ decrypt(file: Uint8Array, outputFormat?: "uint8array"): Promise<Uint8Array>; decrypt(file: Uint8Array, outputFormat: "text"): Promise<string>; private unwrapFileKey; }