Replace deprecated crypto.createDecipher() and crypto.createCipher() Node.js methods

index.js

@@ -229,8 +229,16 @@ class Conf {
 
 			if (this.encryptionKey) {
 				try {
-					const decipher = crypto.createDecipher(encryptionAlgorithm, this.encryptionKey);
-					data = Buffer.concat([decipher.update(data), decipher.final()]);
+					// Check if an IV has been used to encrypt the data
+					if (data.slice(16, 17).toString() === ':') {
+						const iv = data.slice(0, 16);
+						const pass = crypto.pbkdf2Sync(this.encryptionKey, iv.toString(), 10000, 32, 'sha512');
+						const decipher = crypto.createDecipheriv(encryptionAlgorithm, pass, iv);
+						data = Buffer.concat([decipher.update(data.slice(17)), decipher.final()]);
+					} else {
+						const decipher = crypto.createDecipher(encryptionAlgorithm, this.encryptionKey);
+						data = Buffer.concat([decipher.update(data), decipher.final()]);
+					}
 				} catch (_) {}
 			}
 
@@ -260,8 +268,10 @@ class Conf {
 		let data = this.serialize(value);
 
 		if (this.encryptionKey) {
-			const cipher = crypto.createCipher(encryptionAlgorithm, this.encryptionKey);
-			data = Buffer.concat([cipher.update(Buffer.from(data)), cipher.final()]);
+			const iv = crypto.randomBytes(16);
+			const pass = crypto.pbkdf2Sync(this.encryptionKey, iv.toString(), 10000, 32, 'sha512');
+			const cipher = crypto.createCipheriv(encryptionAlgorithm, pass, iv);
+			data = Buffer.concat([iv, Buffer.from(':'), cipher.update(Buffer.from(data)), cipher.final()]);
 		}
 
 		writeFileAtomic.sync(this.path, data);

readme.md

@@ -129,9 +129,9 @@ The only use-case I can think of is having the config located in the app directo
 Type: `string` `Buffer` `TypedArray` `DataView`<br>
 Default: `undefined`
 
-Note that this is **not intended for security purposes**, since the encryption key would be easily found inside a plain-text Node.js app.
+This can be used to secure sensitive data if the encryption key is stored in a secure manner (not plain-text) in the Node.js app side.
 
-Its main use is for obscurity. If a user looks through the config directory and finds the config file, since it's just a JSON file, they may be tempted to modify it. By providing an encryption key, the file will be obfuscated, which should hopefully deter any users from doing so.
+In addition to security, this could be used for obscurity. If a user looks through the config directory and finds the config file, since it's just a JSON file, they may be tempted to modify it. By providing an encryption key, the file will be obfuscated, which should hopefully deter any users from doing so.
 
 It also has the added bonus of ensuring the config file's integrity. If the file is changed in any way, the decryption will not work, in which case the store will just reset back to its default state.
 

test.js

@@ -360,6 +360,12 @@ test('encryption - corrupt file', t => {
 	t.is(after.get('foo'), undefined);
 });
 
+test('decription migration to IV', t => {
+	// The encrypted_config.json contain '{'unicorn', '🦄'}' encrypted with conf@4.1.0 and password 'abcd1234'
+	const config = new Conf({cwd: './test', encryptionKey: 'abcd1234', configName: 'encrypted_config'});
+	t.deepEqual(config.store, {unicorn: '🦄'});
+});
+
 test('onDidChange()', t => {
 	const {config} = t.context;
 

test/encrypted_config.json

@@ -0,0 +1 @@
+��/���㵪�M�z^��^m����9!�W?�