Securely encrypt sensitive files for use in public source control. Find on NPM.
What is it?
node-cipher is both a command line tool and a Node JS API which allows you to easily encrypt or decrypt files containing sensitive information. In doing so, you can safely add encrypted files to a public repository, even if they contain sensitive API keys and passwords. Requires Node 4 or above.
Why use it?
As an individual, you may desire to publicly share a personal repository on GitHub or BitBucket, but some config files or exposed environment variables within your project may contain sensitive information like API keys and passwords. Instead of removing this file from source control entirely, you could instead scramble the contents of the file using
node-cipher and commit the encrypted file. This way, you need only decrypt the file when you clone the repository, instead of having to re-write the file from scratch if you need to make a clone and don't have the original file.
This is also applicable in a team setting; Even if a repository is private, enhanced security for sensitive information may still be desired. Simply disclose the encryption information with your team members once, and they can decrypt the necessary files when they clone the repository or in the future if the files are modified. If any changes are made to these files, simply re-encrypt and commit the changes. Without
node-cipher, any time a modification is made, all team members would need to be notified of the change so that they could make the appropriate adjustments.
Just remember to add the unencrypted file to
How does it work?
There is a two-step process, wherein an encryption key is first derived from the given password and options. This key is then used in tandem with the cipher algorithm to create a custom cipher method which is used to encrypt the contents of the chosen file. These encrypted contents are then saved to the desired output file. These two processes are outlined in more detail below.
- Password-based key derivation
To derive the encryption key,
node-cipher implements password-based key derivation via the
crypto.pbkdf2 function. The chosen HMAC digest algorithm (
-d) is used to derive a key of the requested byte length (
-l) from the given password (
-p), salt (
-s), and iterations (
It should be noted however that the salt, iterations, byte length, and digest hash all have default values set within the
node-cipher source code, so it is recommended that for added security these be customized by the end user and kept secret (this is sometimes referred to as a "pepper"). For basic usage, you really only need to set the password.
2. Cipher object generation
Once the key has been obtained,
node-cipher then creates a custom Cipher object using the derived key and the chosen algorithm (
-a) via the
crypto.createCipher function. In doing so, the cipher key and initialization vector (IV) for the Cipher instance are derived via the OpenSSL function
EVP_BytesToKey and are used to encrypt the contents of the given input file. To do this, the contents of the input file are read and piped through this Cipher object which scrambles the contents before streaming them into the desired output file.
Command Line Interface
$ npm install -g node-cipher
$ npm install node-cipher
node-cipher documentation is rather extensive and is therefore split into two sections.
Documentation on how to use
node-cipherin the command line.
Documentation on how to use
node-cipherwithin Node JS.
A string that the final encryption key is derived from. This should be as secure as possible.
A cipher algorithm used in tandem with the derived key to create the cipher function that will be used to encrypt or decrypt the chosen input file. You may use
$ nodecipher --alogrithmsto see a list of available cipher algorithms. Default
A string or buffer used in tandem with the password, byte length, digest, and iterations to derive the encryption key. This should be as unique as possible and it's recommended that salts are random and their lengths are greater than 16 bytes. Default
An integer representing the number of iterations used to derive the key. This is used in tandem with the password, salt, byte length, and digest to derive the encryption key. The higher the number of iterations, the more secure the derived key will be, but the longer it will take to complete. Default
An integer representing the desired byte length for the derived key. This is used in tandem with the password, salt, digest, and iterations to derive the encryption key. Default
An HMAC digest algorithm that will be used in tandem with the password, salt, byten length, and iterations to derive the key. You may use
$ nodecipher --hashesto see a list of available HMAC hashes. Default
node-cipher v6.2.0 and later implements the configuration loader rc to help you define global encryption options for your project. Simply name the file
.nodecipherrc and populate with any of the
node-cipher options defined in the Node JS API. These options will extend the
node-cipher defaults and will be applied any time you encrypt or decrypt a file. They can be overridden if you pass in these options directly via the command line or by using the Node JS API.
node-cipher implements debug for development logging. To configure
node-cipher with debug, set the
DEBUG environment to
nodecipher:* by entering the following into the command line:
$ export DEBUG=nodecipher:*
$ set DEBUG=nodecipher:*
Nothing is ever completely secure.
node-cipher provides you with the tools to create a strongly-encrypted file, but that does not mean it's uncrackable. As stated in the MIT license, I, and any subsequent authors or copyright holders of this software, are not liable for any damages that arise from or in connection to this software. Click here to read the license in its entirety.