recoder-security
Version:
Enterprise-grade security and compliance layer for CodeCraft CLI
151 lines • 4.24 kB
TypeScript
/**
* End-to-End Data Encryption System
* Provides comprehensive encryption for user data, API communications, and file storage
* with key management, rotation, and compliance features
*/
export interface EncryptionConfig {
algorithm: 'aes-256-gcm' | 'aes-256-cbc' | 'chacha20-poly1305';
keyDerivation: 'pbkdf2' | 'scrypt' | 'argon2';
keySize: 256 | 512;
ivSize: 12 | 16;
tagSize: 16;
iterations: number;
saltSize: 32;
compressionEnabled: boolean;
keyRotationDays: number;
}
export interface EncryptedData {
ciphertext: string;
iv: string;
tag?: string;
salt: string;
algorithm: string;
keyVersion: string;
timestamp: number;
metadata?: {
compressed: boolean;
originalSize?: number;
checksum: string;
};
}
export interface KeyMetadata {
id: string;
version: string;
algorithm: string;
created: number;
lastUsed: number;
rotationDue: number;
purpose: 'encryption' | 'signing' | 'kdf';
status: 'active' | 'deprecated' | 'revoked';
}
export interface EncryptionContext {
userId?: string;
dataType: 'user_data' | 'api_key' | 'file' | 'config' | 'logs';
purpose: string;
retentionDays?: number;
complianceLevel: 'standard' | 'gdpr' | 'hipaa' | 'sox';
}
export declare class DataEncryption {
private readonly logger;
private readonly config;
private readonly masterKeys;
private readonly keyMetadata;
private currentKeyVersion;
constructor(config?: Partial<EncryptionConfig>);
/**
* Encrypt data with context and metadata
*/
encryptData(data: string | Buffer, context: EncryptionContext, password?: string): Promise<EncryptedData>;
/**
* Decrypt data with validation and integrity checks
*/
decryptData(encryptedData: EncryptedData, context: EncryptionContext, password?: string): Promise<string | Buffer>;
/**
* Encrypt file with streaming support for large files
*/
encryptFile(inputPath: string, outputPath: string, context: EncryptionContext): Promise<EncryptedData>;
/**
* Decrypt file with streaming support
*/
decryptFile(encryptedData: EncryptedData, outputPath: string, context: EncryptionContext): Promise<void>;
/**
* Generate RSA key pair for asymmetric encryption
*/
generateRSAKeyPair(keySize?: 2048 | 3072 | 4096): Promise<{
publicKey: string;
privateKey: string;
keyId: string;
}>;
/**
* Encrypt with RSA public key
*/
encryptWithRSA(data: string, publicKeyPem: string): Promise<string>;
/**
* Decrypt with RSA private key
*/
decryptWithRSA(encryptedData: string, privateKeyPem: string): Promise<string>;
/**
* Sign data with RSA private key
*/
signData(data: string, privateKeyPem: string): Promise<string>;
/**
* Verify signature with RSA public key
*/
verifySignature(data: string, signature: string, publicKeyPem: string): Promise<boolean>;
/**
* Rotate encryption keys
*/
rotateKeys(): Promise<void>;
/**
* Get encryption statistics
*/
getEncryptionStats(): {
currentKeyVersion: string;
totalKeys: number;
algorithm: string;
keyRotationDue: number;
activeKeys: number;
deprecatedKeys: number;
};
/**
* Initialize master encryption key
*/
private initializeMasterKey;
/**
* Get current encryption key
*/
private getCurrentEncryptionKey;
/**
* Get encryption key by version
*/
private getEncryptionKey;
/**
* Derive key from password using PBKDF2
*/
private deriveKeyFromPassword;
/**
* Compress data using gzip
*/
private compressData;
/**
* Decompress data using gzip
*/
private decompressData;
/**
* Generate unique key ID
*/
private generateKeyId;
/**
* Log encryption events for audit trail
*/
private logEncryptionEvent;
/**
* Update key usage timestamp
*/
private updateKeyUsage;
/**
* Cleanup old deprecated keys
*/
private cleanupOldKeys;
}
//# sourceMappingURL=data-encryption.d.ts.map