Skip to content
This repository has been archived by the owner on Aug 6, 2023. It is now read-only.

saylorsolutions/passlock

Repository files navigation

Archived!

The functionality here has been moved to gocryptx to consolidate it with other cryptographic helpers, and to extend its capabilities and usability. Because of this migration, this repository is being archived and will no longer be maintained in any way. Please see the linked repository for more details and updates.

Password Lock

This library provides an easy to use and well tested method to AES encrypt data based on a user provided password generated key.

It's certainly better to use more randomly generated keys, but this process is still sufficiently secure as to make passive compromise of data all but impossible.

Evaluate Your Risk

While we make every attempt to adhere to encryption best practices and mitigate known and potential vulnerabilities, bugs happen, and people make mistakes. This library has not been independently reviewed or vetted by an independent security research individual or organization. This is not intended to hide information from well funded government agencies or NGOs. It relies on algorithms thought to be secure at the time of this writing, but these things change. Please refer to the tech notes and vulnerability reporting guidelines below to evaluate your own level of risk and report security issues. Please see the LICENSE file for full terms and conditions of use.

Using the Library

Since the idea is to make this as easy to use as possible, there are a total of 2 functions provided by this library. One for encryption, and one for decryption.

Encrypt Data

Use the EncryptBytes function with the password and data as parameters to generate a salted key from the password bytes, check the error return value, and create the cipher text. The GCM and password salts are both added to the cipher text, so there's no need to track anything other than the password to decrypt the data.

Decrypt Data

Decryption works the same way. The same password should be provided to DecryptBytes along with the cipher text to get the plain text. If the authenticity of the cipher text cannot be verified with the salt, then the data will not be decrypted, and the error returned will be non-nil. Of course, if the password and salt does not generate the correct key, then the data will not be decrypted, and the returned error will be non-nil.

Technical details

  • Uses golang.org/x/crypto for all crypto functions. No "roll-your-own"s here.
  • Uses a scrypt generated key to nullify the risk of rainbow tables, and to ensure that the password generation process is costly enough that brute forcing the password is highly impractical.
  • The encryption key bytes are fed into an AES GCM block cipher which encrypts the data.

Reporting Security Issues

If you believe you've found a security vulnerability in this library, please email [email protected] from a deliverable email address explaining the situation, so we can verify and fix the problem without endangering users.

Thank you!

About

No description, website, or topics provided.

Resources

License

Security policy

Stars

Watchers

Forks

Packages

No packages published

Languages