vault-nacl
v1.0.0
Published
A symmetric encrypted vault using nacl elliptic curves
Downloads
59
Maintainers
commentholReadme
vault-nacl
A symmetric encrypted vault using tweetnacl elliptic curves
Allows to symmetrically encrypt dedicated values in a configuration file, or the complete file itself, using one password.
Implements xsalsa20-poly1305 secretbox and pbkdf2 with different digests for safe encryption.
Default is sha256 (310000 iterations) which can be changed to 'sha384', 'sha512' (120000 iterations).
Uses VAULT_NACL(...) markers with Base64 encrypted secret inside the vault to
identify encrypted values for decryption.
New values attributed with VAULT_NACL(...)VAULT_NACL are used for later
encryption.
Choose the CLI or API to fit your usecase.
toc
installation
npm install --save vault-naclusage cli
Encrypt single value
$ vault-nacl encrypt
✔ Vault password · ***************
✔ Confirm Vault password · ***************
✔ Secret · *********
VAULT_NACL(AQAQJwAA6mwY4MkxGLKi4T0IZaOeh5Ul7iUv7SRzYK50xQR8iYNOXZQ9+lmSSb8PYkkk5zITgbCC/HbAJJ2B)Decrypt single value
$ vault-nacl decrypt
✔ Vault password · ***************
✔ Vault · VAULT_NACL(AQAQJwAA6mwY4MkxGLKi4T0IZaOeh5Ul7iUv7SRzYK50xQR8iYNOXZQ9+lmSSb8PYkkk5zITgbCC/HbAJJ2B)
my secretEncrypt a configuration file
echo {"secret":"VAULT_NACL(my secret hidden value)VAULT_NACL"} > config.json
$ vault-nacl encrypt config.json
✔ Vault password · ***************
✔ Confirm Vault password · ***************
$ cat config.json
{"secret":"VAULT_NACL(AQAQJwAA+XJjGfdtC8jCt7xsWoPBCz2p/qs5MXpzmsqV5jFGCm6xfZgKcADzu3glf1z/5KxKaFFJbtCvX5rAqh/jq3UhRsMHHirldw==)"}Decrypt a configuration file
$ vault-nacl decrypt config.json
✔ Vault password · ***************
✔ Confirm Vault password · ***************
{"secret":"my secret hidden value"}See vault-nacl --help for complete list of options.
Or take a look at the man-page.
api
enc-decrypt
asynchronous
EncDec handles VAULT_NACL(...) encoded strings in strings or objects.
const { EncDec } = require('vault-nacl')
const password = '$€creT'
const secret = { mySecret: `VAULT_NACL(a $€Cr3T secret)VAULT_NACL` }
const encdec = new EncDec(password)
const result = await encdec.encrypt(secret)
//> { mySecret: 'VAULT_NACL(AQAQJwAA+CWBR7...+qAo=)' }
await encdec.decrypt(result)
//> { mySecret: 'a $€Cr3T secret' }synchronous
EncDecSync handles VAULT_NACL(...) encoded strings in strings or objects
synchronously.
NOTE: This function is blocking.
const { EncDecSync } = require('vault-nacl')
const password = '$€creT'
const secret = { mySecret: `VAULT_NACL(a $€Cr3T secret)VAULT_NACL` }
const encdec = new EncDecSync(password)
const result = encdec.encrypt(secret)
//> { mySecret: 'VAULT_NACL(AQAQJwAA+CWBR7...+qAo=)' }
encdec.decrypt(result)
//> { mySecret: 'a $€Cr3T secret' }vault
Vault provides the interface to en- and decryption.
asynchronous
const { Vault } = require('vault-nacl')
const password = '$€creT'
async function main() {
const vault = new Vault(password)
const ciphertext = await vault.encrypt('my secret message')
const orginal = await vault.decrypt(ciphertext)
//> 'my secret message'
vault.clear() // clear password
}
main()synchronous
This example uses a different digest and iterations:
const { Vault } = require('vault-nacl')
const password = '$€creT'
const vault = new Vault(password, { digest: 'sha512', iterations: 20000 })
const ciphertext = vault.encryptSync('my secret message')
const orginal = vault.decryptSync(ciphertext)
//> 'my secret message'
vault.clear() // clear passwordinternals
Format of the base64 encrypted secret:
Version 1
| 1 Byte | 1Byte | 4Bytes | 32Bytes | n-Bytes | | --------- | ------ | ---------- | ------- | ------------ | | version=1 | digest | iterations | salt | boxed secret |
- digest: digest index. See src/Vault.js DIGESTS 0='sha256', 1='sha384', 2='sha512', 3='ripemd', 4='whirlpool'
- iterations: Number of iterations. Default 310000
- salt: Used salt for key derivation
license
MIT licensed