Skip to content

jcoglan/vault-cipher

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

155 Commits

bin

bin

 
 

build

build

 
 

compat

compat

 
 

lib

lib

 
 

spec

spec

 
 

.gitignore

.gitignore

 
 

.npmignore

.npmignore

 
 

.travis.yml

.travis.yml

 
 

CODE_OF_CONDUCT.md

CODE_OF_CONDUCT.md

 
 

LICENSE.md

LICENSE.md

 
 

README.md

README.md

 
 

package.json

package.json

 
 

webpack.config.js

webpack.config.js

 
 

Repository files navigation

vault-cipher Build Status

Provides a high-level authenticated encryption API that Vault uses to encrypt its stored settings. On Node, it's backed by the crypto module, while in the browser it uses asmCrypto. Random values are generated with crypto.randomBytes() or crypto.getRandomValues() where available.

The encryption algorithm is an encrypt-then-MAC scheme based on AES and HMAC.

  • The given secret is used to derive an encryption key and a signing key using PBKDF2
  • The plaintext is padded to a multiple of the AES block size using PKCS#7
  • A random iv is selected using crypto.randomBytes()
  • The plaintext is encrypted using AES-256-CBC with the encryption key and iv to produce ciphertext
  • iv and ciphertext are concatenated and signed using HMAC-SHA-256 with the signing key to produce mac
  • The result is the concatenation of iv, ciphertext and mac
+--------+      +--------+      +----------------+----------------+
| secret |----->| PBKDF2 |----->| encryption key |  signing key   |
+--------+      +--------+      +----------------+----------------+
                                    |                     |
+---------+                         V                     |
| message |------------------>+-------------+             |
+---------+     +----+        | AES-256-CBC |             |
                | iv |------->+-------------+             |
                +----+              |                     |
                   |                |                     |
                   V                V                     V
              +----------+------------------+     +--------------+
              |    iv    |    ciphertext    |---->| HMAC-SHA-256 |
              +----------+------------------+     +--------------+
                      |               |                 |
                      V               V                 V
                  +----------+------------------+-----------+
                  |    iv    |    ciphertext    |    mac    |
                  +----------+------------------+-----------+

Its high-level API provides a simple way to encrypt and decrypt text:

var Cipher = require('vault-cipher'),
    cipher = new Cipher('your secret key');

var ciphertext = cipher.encrypt('some text');

cipher.decrypt(ciphertext) // -> 'some text'

Settings

The cipher is configurable by passing options to the constructor, for example:

var cipher = new Cipher('secret key', { format: 'hex', work: 1000 })

The available options are:

  • format: the output format of the ciphertext, either base64 (default) or hex
  • salt: a salt string used during PBKDF2 key derivation, defaults to a GUID embedded in the library
  • work: the number of PBKDF2 iterations used to derive the encryption and signing keys, default is 10,000

About

High-level authenticated encryption API used by Vault

Resources

Readme

License

View license

Code of conduct

Code of conduct
Activity

Stars

9 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases

5 tags

Packages

No packages published

Languages