Encryption enabled browser storage
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
3rd-party
dist
tests
.gitignore
.gitmodules
.travis.yml
LICENSE
README.md
bower.json
crypt.io.js
package.json

README.md

crypt.io Build Status

crypt.io implements secures browser storage with the SJCL (Stanford Javascript Crypto Libraries) crypto library.

Options:

  • passphrase: {String} User supplied passphrase
  • storage: {String} Storage engine to use; local, session or cookies

Examples:

Here are a few examples of use to get you started.

Default use

Saving data...

var storage = cryptio
  , inventory = [{
      "SKU": "39-48949",
      "Price": 618,
      "Item": "Snowboard"
    }, {
      "SKU": "99-28128",
      "Price": 78.99,
      "Item": "Cleats"
    }, {
      "SKU": "83-38285",
      "Price": 3.99,
      "Item": "Hockey Puck"
    }];

storage.set('inventory', inventory, function(err, results){
  if (err) throw err;
  console.log(results);
});

Retrieving data...

var storage = cryptio;

storage.get('inventory', function(err, results){
  if (err) throw err;
  console.log(results);
});

Storage option

Want to use a different storage engine like the HTML5 sessionStorage feature?

var options = {
  storage: 'session',
};

Or some depreciated cookies? This is the least tested option

var options = {
  storage: 'cookies',
};

Extra security

While providing a transparent method of encryption for objects within the client prevents the need for user interaction, in terms of security in the event of a same-origin, dom rebinding attack coupled with a man- in-the-middle scenario or a malicious browser add-on it would be more secure to prompt the user for his/her passphrase.

Here is an example of user input for the passphrase.

var pass = window.prompt("Please enter password...", "a custom password");

var options = {
  passphrase: pass
};

storage.set(options, 'inventory', inventory, function(err, results){
  if (err) throw err;
  console.log(results);
});

storage.get(options, 'inventory', function(err, results){
  if (err) throw err;
  console.log(results);
});

For the paranoid

Here is a robust example of saving & retrieving data implementing a user defined password based on their input while also using key stretching techniques to further enhance the security of the key used as well as using a tempoary storage option such as sessionStorage for the current authenticated session.

Saving data (please keep in mind that a static value for the salt is not recommended)

var pass = window.prompt("Enter password to protect saved data", "");

var options = {
  passphrase: sjcl.codec.base64.fromBits(sjcl.hash.sha256.hash(sjcl.misc.pbkdf2(pass, sjcl.random.randomWords(2), 100000, 512)))
};

storage.set(options, 'inventory', inventory, function(err, results){
  if (err) throw err;
  console.log(results);
});

storage.get(options, 'inventory', function(err, results){
  if (err) throw err;
  console.log(results);
});

Warning:

For the obligitory read regarding Javascript Encryption and the security implications please read 'NCC Group - Javascript Cryptography Considered Harmful'

Requirements:

Installation:

Three methods are available for setup and use; using bower, cloning & manual

Yarn

To setup using yarn

%> yarn add crypt.io

Bower (depreciated)

To setup using bower

%> bower install crypt.io

Clone w/ git

To setup using git

%> git clone --recursive https://github.com/jas-/crypt.io.git

Manual

Copy the crypt.io.min.js and the sjcl libraries to your web project and include them like so.

<script src="/path/to/sjcl.js"></script>
<script src="/path/to/crypt.io.min.js"></script>

Support:

Found a bug? Want a feature added? General feedback or kudos? Please open an issue so I can address it. Thanks!