README
¶
cryptutils
cryptutils is a set of common Go packages for doing encryption using
NaCl and Ed25519 keys. It also includes a set of command line tools:
- secrets: command-line secrets manager
- otpc: command-line two-factor authentication token manager
- journal: password-backed journal
- passcrypt: password-based file encryption
The useful tools are all password-based at this time. secrets, otpc,
and journal are all based on a common secret storage system. The
secrets program provides a general-purpose secret management system;
journal and otpc provide specialised interfaces for specific types
of secrets (notes and TOTP/HOTP keys, respectively).
The programs are in the cmd/ subdirectory; each project has its own
README.
The cryptography
cryptutils uses NaCl's secretbox (Salsa20 and Poly1305) for
secret-key encryption, NaCl's box (Curve25519, Salsa20, and Poly1305)
for public-key encryption, and Ed25519 for digital
signatures. Typically, secret keys are derived in one of ways: via
Scrypt, or via an ECDH exchange. For Scrypt, the parameters N=1048576,
r=8, and p=1 are used. This makes generating keys using this expensive
(typically, around 5 seconds on my 2.6 GHz i5 machine with 6G of
RAM). When encrypting messages using public keys, an ephemeral key is
generated for the encryption and a shared key is derived from
this. The public key is prepended to the message for extraction by the
recipient. When signing and encrypting using public keys, the message
is signed before encrypting. The recipient will decrypt, then validate
the signature.
NOTE: previous versions used N=32768, and will need to use the
migrate-store utility to migrate the store over (or use the previous
versions).
Motivation and history
I hated depending on my phone for managing two-factor authentication
(I prefer to not carry it around), which led to the first iteration of
otpc. This used Scrypt and NaCl to secure the tokens. Later, I
wanted a password manager that I could use on the command-line and
send passwords to xclip (or pbcopy if I was on a Mac); the first
iteration of password copied the crypto.go file from
otpc. Finally, I wanted to replace sshcrypt with a
NaCl/Ed25519-based system; at this point, I realised that it would be
easier to refactor the crypto components into a common set of
packages. This included building a generalised keyring for fcrypt
and, realising that the same data structure lent itself well to
password and otpc, a common datastore for secrets. Eventually,
passwords was renamed to secrets when I began to use it for
manipulating the otpc store, letting me keep a lot of unnecessary
functionality out of otpc. At some point, I realised the datastore
could also be used for storing journal entries, and added a journaling
front end.
Dependencies
- golang.org/x/crypto
- github.com/agl/ed25519
- github.com/conformal/yubikey
- github.com/gokyle/readpass
License
cryptutils is licensed under the ISC license.
Documentation
¶
Overview ¶
Package cryptutils contains a variety of utilities that are built on a common set of NaCl-based tools.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
journal
journal is a secure journaling program.
|
journal is a secure journaling program. |
|
migrate-store/legacy
Package secret contains utilities for encrypting and decrypting data with secret keys; it is aimed primarily at password-based encryption.
|
Package secret contains utilities for encrypting and decrypting data with secret keys; it is aimed primarily at password-based encryption. |
|
passcrypt
passcrypt is a utility for encrypting a file with a password.
|
passcrypt is a utility for encrypting a file with a password. |
|
rocli
delegate hooks into the secret store to perform a Red October delegation.
|
delegate hooks into the secret store to perform a Red October delegation. |
|
common
|
|
|
auth
Package auth contains one-time password authentication functionality for implementing authentication in a system design.
|
Package auth contains one-time password authentication functionality for implementing authentication in a system design. |
|
auth/examples/login
The login program accepts two commands: "register", to set up new users, and "run"
|
The login program accepts two commands: "register", to set up new users, and "run" |
|
public
Package public contains utilities for public key encryption with Curve25519 and digital signatures with Ed25519.
|
Package public contains utilities for public key encryption with Curve25519 and digital signatures with Ed25519. |
|
secret
Package secret contains utilities for encrypting and decrypting data with secret keys; it is aimed primarily at password-based encryption.
|
Package secret contains utilities for encrypting and decrypting data with secret keys; it is aimed primarily at password-based encryption. |
|
store
Package store contains two types of secure stores: a store that contains secrets, such as might be used by a password manager, and a store that contains public keys, such as might be used by a PGP-like system.
|
Package store contains two types of secure stores: a store that contains secrets, such as might be used by a password manager, and a store that contains public keys, such as might be used by a PGP-like system. |
|
tlv
Package tlv implements a tag-length-value encoding scheme for use in packing flat data structures with a fixed format.
|
Package tlv implements a tag-length-value encoding scheme for use in packing flat data structures with a fixed format. |
|
util
Package util contains utility code common to the cryptutils programs.
|
Package util contains utility code common to the cryptutils programs. |