Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to generate keys? #5

Closed
philss opened this issue Apr 7, 2016 · 5 comments
Closed

How to generate keys? #5

philss opened this issue Apr 7, 2016 · 5 comments

Comments

@philss
Copy link
Contributor

philss commented Apr 7, 2016

This is a question and a proposal to add a little guide about key generation.

I tried myself, but I'm not sure if I'm doing right.

I followed this article about hash functions.
So, to generate the key I'm doing something like:

:crypto.hash(:sha256, "my-super-secret-key-here") |> Base.encode64
# => 2CJtBImYfIdlBKR0164Ys6xg+lAWaqaCVUrlK9OIKUE=

And them, I use this as my key:

config :cloak, Cloak.AES.CTR,
  tag: "AES",
  default: true,
  keys: [
    %{
      tag: <<1>>,
      key: :base64.decode("2CJtBImYfIdlBKR0164Ys6xg+lAWaqaCVUrlK9OIKUE="),
      default: true
    }
  ]

@danielberkompas Is there a better and more secure way (or tool) for generating those keys?
What do you think about adding a little guide in the README.md? I can get this if you agree.

BTW, thanks for this library! It's awesome! 😃
@danielberkompas
Copy link
Owner

If you want a random 256-bit key, all you have to do is generate 32 bytes and then run it through Base.encode64:

:crypto.strong_rand_bytes(32) |> Base.encode64

A random key is more secure than one based on a set of keywords. However, if you were going to use a keyword, your approach seems reasonable. Just be aware that if you use a keyword, it's just as subject to guessing as a password would be, and sha256 is generally considered insecure for passwords. Maybe use BCrypt instead?

When I do BCrypt in Elixir, I use the Comeonin library.

@philss
Copy link
Contributor Author

philss commented Apr 8, 2016

Got it, thanks! :)
Random keys seems to be better.

@philss philss closed this as completed Apr 8, 2016
@philss philss mentioned this issue May 22, 2016
Closed
@paulstatezny
Copy link

He @danielberkompas, I wasn't sure whether to comment here or open another issue...

Thanks for cloak! It's great.

I think it would be helpful to add details back to README.md or somewhere in plain sight on how to generate keys properly. Was working with a coworker and noticed that it was removed from the README.

If you're up for that I'd be glad to put in a PR.

@danielberkompas
Copy link
Owner

danielberkompas commented Mar 23, 2018
edited
Loading

I'll add it into the docs soon. It's pretty simple:

:crypto.strong_rand_bytes(32)

If you intend to store your key in an environment variable, you'll need to Base64 encode/decode it as shown in the docs.

32
|> :crypto.strong_rand_bytes()
|> Base.encode64()

@kiere kiere mentioned this issue Apr 24, 2018
Closed
@acrolink
Copy link

If you intend to store your key in an environment variable, you'll need to Base64 encode/decode it as shown in the docs.

And if the key gets lost, all data encrypted with it will become useless (non-recoverable), true?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@philss @danielberkompas @paulstatezny @acrolink