UNPKG

vault-nacl

Version:

A symmetric encrypted vault using nacl elliptic curves

github.com/commenthol/vault-nacl

commenthol/vault-nacl

199 lines (133 loc) 4.91 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
# vault-nacl > A symmetric encrypted vault using [tweetnacl][] elliptic curves [![NPM version](https://badge.fury.io/js/vault-nacl.svg)](https://www.npmjs.com/package/vault-nacl/) <!-- [![Build Status](https://secure.travis-ci.org/commenthol/vault-nacl.svg?branch=master)](https://travis-ci.org/commenthol/vault-nacl) --> Allows to symmetrically encrypt dedicated values in a configuration file, or the complete file itself, using one password. Implements [xsalsa20-poly1305 secretbox][] and [pbkdf2][] with different digests for safe encryption. Default is sha256 (310000 iterations) which can be changed to 'sha384', 'sha512' (120000 iterations). Uses `VAULT_NACL(...)` markers with Base64 encrypted secret inside the vault to identify encrypted values for decryption. New values attributed with `VAULT_NACL(...)VAULT_NACL` are used for later encryption. Choose the CLI or API to fit your usecase. [xsalsa20-poly1305 secretbox]: https://www.npmjs.com/package/tweetnacl#secret-key-authenticated-encryption-secretbox [pbkdf2]: https://tools.ietf.org/html/rfc8018 ## toc <!-- !toc (minlevel=2 omit="toc") --> * [installation](#installation) * [usage cli](#usage-cli) * [api](#api) * [enc-decrypt](#enc-decrypt) * [vault](#vault) * [internals](#internals) * [license](#license) <!-- toc! --> ## installation ``` npm install --save vault-nacl ``` ## usage cli _Encrypt single value_ ```bash $ vault-nacl encrypt ✔ Vault password · *************** ✔ Confirm Vault password · *************** ✔ Secret · ********* VAULT_NACL(AQAQJwAA6mwY4MkxGLKi4T0IZaOeh5Ul7iUv7SRzYK50xQR8iYNOXZQ9+lmSSb8PYkkk5zITgbCC/HbAJJ2B) ``` _Decrypt single value_ ```bash $ vault-nacl decrypt ✔ Vault password · *************** ✔ Vault · VAULT_NACL(AQAQJwAA6mwY4MkxGLKi4T0IZaOeh5Ul7iUv7SRzYK50xQR8iYNOXZQ9+lmSSb8PYkkk5zITgbCC/HbAJJ2B) my secret ``` _Encrypt a configuration file_ ```bash echo {"secret":"VAULT_NACL(my secret hidden value)VAULT_NACL"} > config.json $ vault-nacl encrypt config.json ✔ Vault password · *************** ✔ Confirm Vault password · *************** $ cat config.json {"secret":"VAULT_NACL(AQAQJwAA+XJjGfdtC8jCt7xsWoPBCz2p/qs5MXpzmsqV5jFGCm6xfZgKcADzu3glf1z/5KxKaFFJbtCvX5rAqh/jq3UhRsMHHirldw==)"} ``` _Decrypt a configuration file_ ```bash $ vault-nacl decrypt config.json ✔ Vault password · *************** ✔ Confirm Vault password · *************** {"secret":"my secret hidden value"} ``` See `vault-nacl --help` for complete list of options. Or take a look at the [man-page][]. [man-page]: https://github.com/commenthol/vault-nacl/blob/master/man/vault-nacl.md ## api ### enc-decrypt _asynchronous_ `EncDec` handles `VAULT_NACL(...)` encoded strings in strings or objects. ```js const { EncDec } = require('vault-nacl') const password = '$€creT' const secret = { mySecret: `VAULT_NACL(a $€Cr3T secret)VAULT_NACL` } const encdec = new EncDec(password) const result = await encdec.encrypt(secret) //> { mySecret: 'VAULT_NACL(AQAQJwAA+CWBR7...+qAo=)' } await encdec.decrypt(result) //> { mySecret: 'a $€Cr3T secret' } ``` _synchronous_ `EncDecSync` handles `VAULT_NACL(...)` encoded strings in strings or objects synchronously. > NOTE: This function is blocking. ```js const { EncDecSync } = require('vault-nacl') const password = '$€creT' const secret = { mySecret: `VAULT_NACL(a $€Cr3T secret)VAULT_NACL` } const encdec = new EncDecSync(password) const result = encdec.encrypt(secret) //> { mySecret: 'VAULT_NACL(AQAQJwAA+CWBR7...+qAo=)' } encdec.decrypt(result) //> { mySecret: 'a $€Cr3T secret' } ``` ### vault `Vault` provides the interface to en- and decryption. _asynchronous_ ```js const { Vault } = require('vault-nacl') const password = '$€creT' async function main() { const vault = new Vault(password) const ciphertext = await vault.encrypt('my secret message') const orginal = await vault.decrypt(ciphertext) //> 'my secret message' vault.clear() // clear password } main() ``` _synchronous_ This example uses a different digest and iterations: ```js const { Vault } = require('vault-nacl') const password = '$€creT' const vault = new Vault(password, { digest: 'sha512', iterations: 20000 }) const ciphertext = vault.encryptSync('my secret message') const orginal = vault.decryptSync(ciphertext) //> 'my secret message' vault.clear() // clear password ``` ## internals Format of the base64 encrypted secret: **Version 1** | 1 Byte | 1Byte | 4Bytes | 32Bytes | n-Bytes | | --------- | ------ | ---------- | ------- | ------------ | | version=1 | digest | iterations | salt | boxed secret | - digest: digest index. See src/Vault.js DIGESTS 0='sha256', 1='sha384', 2='sha512', 3='ripemd', 4='whirlpool' - iterations: Number of iterations. Default 310000 - salt: Used salt for key derivation ## license MIT licensed [tweetnacl]: https://npmjs.com/package/tweetnacl