vault-cipher

High-level authenticated encryption API used by Vault

OTHER License

Downloads
184
Stars
9
View Code on GitHub
Ecosystems: JavaScript

vault-cipher Build Status

Provides a high-level authenticated encryption API that Vault uses to encrypt its stored settings. On Node, it's backed by the crypto module, while in the browser it uses asmCrypto. Random values are generated with crypto.randomBytes() or crypto.getRandomValues() where available.

The encryption algorithm is an encrypt-then-MAC scheme based on AES and HMAC.

  • The given secret is used to derive an encryption key and a signing key using
    PBKDF2
  • The plaintext is padded to a multiple of the AES block size using PKCS#7
  • A random iv is selected using crypto.randomBytes()
  • The plaintext is encrypted using AES-256-CBC with the encryption key and iv
    to produce ciphertext
  • iv and ciphertext are concatenated and signed using HMAC-SHA-256 with the
    signing key to produce mac
  • The result is the concatenation of iv, ciphertext and mac 
+--------+      +--------+      +----------------+----------------+
| secret |----->| PBKDF2 |----->| encryption key |  signing key   |
+--------+      +--------+      +----------------+----------------+
                                    |                     |
+---------+                         V                     |
| message |------------------>+-------------+             |
+---------+     +----+        | AES-256-CBC |             |
                | iv |------->+-------------+             |
                +----+              |                     |
                   |                |                     |
                   V                V                     V
              +----------+------------------+     +--------------+
              |    iv    |    ciphertext    |---->| HMAC-SHA-256 |
              +----------+------------------+     +--------------+
                      |               |                 |
                      V               V                 V
                  +----------+------------------+-----------+
                  |    iv    |    ciphertext    |    mac    |
                  +----------+------------------+-----------+

Its high-level API provides a simple way to encrypt and decrypt text:

var Cipher = require('vault-cipher'),
    cipher = new Cipher('your secret key');

var ciphertext = cipher.encrypt('some text');

cipher.decrypt(ciphertext) // -> 'some text'

Settings

The cipher is configurable by passing options to the constructor, for example:

var cipher = new Cipher('secret key', { format: 'hex', work: 1000 })

The available options are:

  • format: the output format of the ciphertext, either base64 (default) or
    hex
  • salt: a salt string used during PBKDF2 key derivation, defaults to a GUID
    embedded in the library
  • work: the number of PBKDF2 iterations used to derive the encryption and
    signing keys, default is 10,000
Package Rankings
Top 7.23% on Npmjs.org
Badges
Extracted from project README
Build Status
Related Projects
CookieCloud

CookieCloud是一个和自架服务器同步浏览器Cookie和LocalStorage的小工具,支持端对端加密,可设定同步时间间隔。本仓库包含了插件和服务器端源码。CookieCloud is...

17 Jan 2023 1,889
aes-js

A pure JavaScript implementation of the AES block cipher and all common modes of operation for no...

04 Mar 2015 1,449
god_crypto

Pure Javascript/Typescript Crypto Implementation for Deno. AES, RSA, HMAC, and TOTP

06 Aug 2020 93
Cryptor

Encrypt and decrypt string using a key

21 May 2017 18
simple_aes_cbc

A simple wrapper for WebCrypto which uses the AES-CBC algorithm

06 Oct 2023 3
crypto-js

CryptoJS for Browserify

04 Dec 2014 4
vault

Generates safe passwords so you never need to remember them

07 Dec 2011 470
node-aes256

A Node.js module to simplify using the built-in "crypto" module for AES256 encryption with random...

16 Dec 2015 49
crypt.io

Encryption enabled browser storage

28 Aug 2013 332
crypto-es

A cryptography algorithms library

28 Nov 2018 271