vault-nacl

A symmetric encrypted vault using tweetnacl elliptic curves

Allows to symmetrically encrypt dedicated values in a configuration file, or the complete file itself, using one password.

Implements xsalsa20-poly1305 secretbox and pbkdf2 with different digests for safe encryption.

Default is sha256 (310000 iterations) which can be changed to 'sha384', 'sha512' (120000 iterations).

Uses VAULT_NACL(...) markers with Base64 encrypted secret inside the vault to identify encrypted values for decryption.

New values attributed with VAULT_NACL(...)VAULT_NACL are used for later encryption.

Choose the CLI or API to fit your usecase.

toc

• installation
• usage cli
• api
  • enc-decrypt
  • vault
• internals
• license

installation

npm install --save vault-nacl

usage cli

Encrypt single value

$ vault-nacl encrypt
✔ Vault password · ***************
✔ Confirm Vault password · ***************
✔ Secret · *********
VAULT_NACL(AQAQJwAA6mwY4MkxGLKi4T0IZaOeh5Ul7iUv7SRzYK50xQR8iYNOXZQ9+lmSSb8PYkkk5zITgbCC/HbAJJ2B)

Decrypt single value

$ vault-nacl decrypt
✔ Vault password · ***************
✔ Vault · VAULT_NACL(AQAQJwAA6mwY4MkxGLKi4T0IZaOeh5Ul7iUv7SRzYK50xQR8iYNOXZQ9+lmSSb8PYkkk5zITgbCC/HbAJJ2B)
my secret

Encrypt a configuration file

echo {"secret":"VAULT_NACL(my secret hidden value)VAULT_NACL"} > config.json

$ vault-nacl encrypt config.json
✔ Vault password · ***************
✔ Confirm Vault password · ***************

$ cat config.json
{"secret":"VAULT_NACL(AQAQJwAA+XJjGfdtC8jCt7xsWoPBCz2p/qs5MXpzmsqV5jFGCm6xfZgKcADzu3glf1z/5KxKaFFJbtCvX5rAqh/jq3UhRsMHHirldw==)"}

Decrypt a configuration file

$ vault-nacl decrypt config.json
✔ Vault password · ***************
✔ Confirm Vault password · ***************
{"secret":"my secret hidden value"}

See vault-nacl --help for complete list of options.

Or take a look at the man-page.

api

enc-decrypt

asynchronous

EncDec handles VAULT_NACL(...) encoded strings in strings or objects.

const { EncDec } = require('vault-nacl')
const password = '$€creT'
const secret = { mySecret: `VAULT_NACL(a $€Cr3T secret)VAULT_NACL` }

const encdec = new EncDec(password)
const result = await encdec.encrypt(secret)
//>  { mySecret: 'VAULT_NACL(AQAQJwAA+CWBR7...+qAo=)' }

await encdec.decrypt(result)
//> { mySecret: 'a $€Cr3T secret' }

synchronous

EncDecSync handles VAULT_NACL(...) encoded strings in strings or objects synchronously.

NOTE: This function is blocking.

const { EncDecSync } = require('vault-nacl')
const password = '$€creT'
const secret = { mySecret: `VAULT_NACL(a $€Cr3T secret)VAULT_NACL` }

const encdec = new EncDecSync(password)
const result = encdec.encrypt(secret)
//>  { mySecret: 'VAULT_NACL(AQAQJwAA+CWBR7...+qAo=)' }

encdec.decrypt(result)
//> { mySecret: 'a $€Cr3T secret' }

vault

Vault provides the interface to en- and decryption.

asynchronous

const { Vault } = require('vault-nacl')

const password = '$€creT'

async function main() {
  const vault = new Vault(password)

  const ciphertext = await vault.encrypt('my secret message')
  const orginal = await vault.decrypt(ciphertext)
  //> 'my secret message'

  vault.clear() // clear password
}
main()

synchronous

This example uses a different digest and iterations:

const { Vault } = require('vault-nacl')

const password = '$€creT'

const vault = new Vault(password, { digest: 'sha512', iterations: 20000 })
const ciphertext = vault.encryptSync('my secret message')
const orginal = vault.decryptSync(ciphertext)
//> 'my secret message'

vault.clear() // clear password

internals

Format of the base64 encrypted secret:

Version 1

1 Byte	1Byte	4Bytes	32Bytes	n-Bytes
version=1	digest	iterations	salt	boxed secret

• digest: digest index. See src/Vault.js DIGESTS 0='sha256', 1='sha384', 2='sha512', 3='ripemd', 4='whirlpool'
• iterations: Number of iterations. Default 310000
• salt: Used salt for key derivation

license

MIT licensed