FutoIn Secure Vault (SV) is a concept to minimize sensitive cryptographic data exposure in projects. It allows different type of key management, data encryption and signing.
This reference implementation is based on encrypted SQL storage. However, the same interface can be implemented in Host Secure Modules (HSM) on demand.
Features:
- Key types:
- AES
- RSA
- HMAC
- Password (plain password)
- Key derivation:
- PBKDF2
- HKDF
- Key manipulations:
- Generation
- Injection
- Encrypted injection
- Plain exposure
- Encrypted exposure
- Wipe out
- Derivation
- Public key exposure
- Data manipulations
- Encryption & Decryption
- Signing & Verification
Documentation --> FutoIn Guide
Reference implementation of:
Author: Andrey Galkin
Command line:
$ npm install futoin-secvault --saveor:
$ yarn add futoin-secvault --save- DataFace
Data Face
- DataService
Data Service
- KeyFace
Keys Face
- KeyService
Key Service
- BaseFace
Base Face with neutral common registration functionality
- BaseService
Base Service with common registration logic
- AESPlugin
AES plugin
- HKDFPlugin
HKDF plugin
- HMACPlugin
HMAC plugin
- PasswordPlugin
Password plugin
Allows passwords from 4 to 255 unicode characters in length. Supports custom characters set through options.chars.
Supports secure password verification.
- PBKDF2Plugin
PBKDF2 plugin
- RSAPlugin
RSA plugin
- VaultPlugin
Base for SecVault plugins
- CachedStorageWrapper
Storage wapper with advanced caching & invalidation
- DBStorage
Database Encrypted secret storage
- EncryptedStorage
Encrypted secret storage base
Assume there is
- KeyInfo
Sealed key info
- SQLStorage
SQL secret storage
- Storage
Secret storage base
Data Face
Data Service
Keys Face
Key Service
Base Face with neutral common registration functionality
Kind: global class
Note: Not official API
Latest supported FTN13 version
Kind: static property of BaseFace
Latest supported FTN4 version
Kind: static property of BaseFace
CCM registration helper
Kind: static method of BaseFace
| Param | Type | Default | Description |
|---|---|---|---|
| as | AsyncSteps |
steps interface | |
| ccm | AdvancedCCM |
CCM instance | |
| name | string |
CCM registration name | |
| endpoint | * |
see AdvancedCCM#register | |
| [credentials] | * |
|
see AdvancedCCM#register |
| [options] | object |
{} |
interface options |
| [options.version] | string |
"1.0" |
interface version to use |
Base Service with common registration logic
Kind: global class
C-tor
| Param | Type | Default | Description |
|---|---|---|---|
| storage | Storage |
low-level storage instance | |
| options | object |
passed to superclass c-tor | |
| options.failure_limit | integer |
10000 |
limit crypt key decrypt failures |
Register futoin.xfers.limits interface with Executor
Kind: static method of BaseService
Returns: LimitsService - instance
| Param | Type | Description |
|---|---|---|
| as | AsyncSteps |
steps interface |
| executor | Executor |
executor instance |
| storage | Storage |
low-level storage instance |
| options | object |
implementation defined options |
AES plugin
Register this plugin
Kind: static method of AESPlugin
HKDF plugin
Register this plugin
Kind: static method of HKDFPlugin
HMAC plugin
Register this plugin
Kind: static method of HMACPlugin
Password plugin
Allows passwords from 4 to 255 unicode characters in length. Supports custom characters set through options.chars.
Supports secure password verification.
Register this plugin
Kind: static method of PasswordPlugin
PBKDF2 plugin
Register this plugin
Kind: static method of PBKDF2Plugin
RSA plugin
Register this plugin
Kind: static method of RSAPlugin
Base for SecVault plugins
Kind: global class
- VaultPlugin
- instance
- .defaultBits()
- .isAsymetric() ⇒
boolean - .generate(as, options)
- .validateKey(as, key)
- .derive(as, base, bits, hash, options)
- .pubkey(as, key, options)
- .encrypt(as, key, data, options)
- .decrypt(as, key, edata, options)
- .sign(as, key, data, options)
- .verify(as, key, edata, sig, options)
- .random(as, size)
- static
- instance
Default bits to use, if applicable
Kind: instance method of VaultPlugin
Check if type conforms to asymmetric cryptography requirements
Kind: instance method of VaultPlugin
Returns: boolean - true, if assymetric
Generate new key
Kind: instance method of VaultPlugin
Note: passes raw key buffer to the next step
| Param | Type | Description |
|---|---|---|
| as | AsyncSteps |
AsyncSteps interface |
| options | object |
implementation-defined options |
| options.bits | integer |
key length, if applicable |
Validate key data
Kind: instance method of VaultPlugin
| Param | Type | Description |
|---|---|---|
| as | AsyncSteps |
AsyncSteps interface |
| key | Buffer |
key data to validate |
Derive new key
Kind: instance method of VaultPlugin
Note: passes raw key buffer to the next step
| Param | Type | Default | Description |
|---|---|---|---|
| as | AsyncSteps |
AsyncSteps interface | |
| base | Buffer |
base key as is | |
| bits | integer |
key length | |
| hash | string |
hash name to use | |
| options | object |
implementation-defined options | |
| options.salt | string |
"''" |
salt, if any |
| options.info | string |
"''" |
info, if any |
| options.rounds | integer |
1000 |
rounds, if any |
Get public key from private key
Kind: instance method of VaultPlugin
Note: passes raw key buffer to the next step
| Param | Type | Description |
|---|---|---|
| as | AsyncSteps |
AsyncSteps interface |
| key | Buffer |
raw private key |
| options | object |
implementation-defined options |
Encrypt arbitrary data
Kind: instance method of VaultPlugin
Note: Passes Buffer { edata | iv | authtag } to the next step
| Param | Type | Default | Description |
|---|---|---|---|
| as | AsyncSteps |
AsyncSteps interface | |
| key | Buffer |
raw key | |
| data | Buffer |
raw data | |
| options | object |
implementation-defined options | |
| options.iv | Buffer |
|
custom IV, if needed |
| options.aad | Buffer |
|
additional data, if supported |
Decrypt arbitrary data
Kind: instance method of VaultPlugin
Note: Passes Buffer of raw data to the next step
| Param | Type | Description |
|---|---|---|
| as | AsyncSteps |
AsyncSteps interface |
| key | Buffer |
raw key |
| edata | object |
encrypted data as generated by encrypt |
| options | object |
implementation-defined options |
| options.aad | string |
additional authentication data, if applicable |
Encrypt arbitrary data
Kind: instance method of VaultPlugin
Note: Passes Buffer { sig } to the next step
| Param | Type | Description |
|---|---|---|
| as | AsyncSteps |
AsyncSteps interface |
| key | Buffer |
raw key |
| data | Buffer |
raw data |
| options | object |
implementation-defined options |
| options.hash | string |
hash name, if applicable |
Decrypt arbitrary data
Kind: instance method of VaultPlugin
Note: Passes Buffer of raw data to the next step
| Param | Type | Description |
|---|---|---|
| as | AsyncSteps |
AsyncSteps interface |
| key | Buffer |
raw key |
| edata | object |
encrypted data as generated by encrypt |
| sig | Buffer |
signature to verify |
| options | object |
implementation-defined options |
| options.hash | string |
hash name, if applicable |
Common API to generate random data
Kind: instance method of VaultPlugin
Note: Passes Buffer of renadom data to the next step
| Param | Type | Description |
|---|---|---|
| as | AsyncSteps |
AsyncSteps interface |
| size | integer |
how many bytes to generate |
Register plugin
Kind: static method of VaultPlugin
| Param | Type | Description |
|---|---|---|
| name | string |
plugin identifier |
| impl | VaultPlugin |
plugin implementation |
VaultPlugin.getPlugin(name) ⇒ VaultPlugin
Get plugin by name
Kind: static method of VaultPlugin
Returns: VaultPlugin - plugin instance
| Param | Type | Description |
|---|---|---|
| name | string |
plugin identifier |
Storage wapper with advanced caching & invalidation
C-tor
| Param | Type | Description |
|---|---|---|
| ccm | AdvancedCCM |
CCM instance |
| target | Storage |
target slow storage |
| options | object |
extra options for fine tune |
| options.evtpushExecutor | object |
executor instace with PushService |
| [options.cacheSize] | integer |
max cache entries |
| [options.ttlMs] | integer |
Cache Time-To-Live in ms |
| [options.syncDelayMs] | integer |
Cache Sync delay in ms |
| [options.syncThreads] | integer |
Cache Sync parallelism |
Database Encrypted secret storage
Encrypted secret storage base
Assume there is
Kind: global class
Configure common storage secret which is used to encrypt keys
Kind: instance method of EncryptedStorage
| Param | Type | Default | Description |
|---|---|---|---|
| as | AsyncSteps |
AsyncSteps interface | |
| secret | Buffer |
some arbitrary secret | |
| cipher_opts | object |
{} |
options for encryption/decryption |
| cipher_opts.type | string |
"AES" |
cipher type |
| cipher_opts.bits | integer |
256 |
key length for KDF |
| cipher_opts.mode | string |
"GCM" |
cipher block mode |
| cipher_opts.aad | string |
"SecVault" |
additional auth data |
| kdf_opts | object | null |
{} |
KDF options, null to disable |
| kdf_opts.type | string |
"HKDF" |
KDF type |
| kdf_opts.salt | string |
"SecVault" |
KDF salt |
| kdf_opts.info | string |
"KEK" |
info parameter for HKDF |
| kdf_opts.rounds | string |
1000 |
rounds for PBKDF2 |
Check if storage is locked
Kind: instance method of EncryptedStorage
Returns: boolean - true, if locked
Sealed key info
C-tor
| Param | Type | Default | Description |
|---|---|---|---|
| info | object |
{} |
optional default values |
SQL secret storage
C-tor
| Param | Type | Default | Description |
|---|---|---|---|
| ccm | AdvancedCCM |
CCM instance with registered 'secvault' DB | |
| options | object |
options | |
| options.key_table | string |
"enc_keys" |
name of encrypted key table |
Secret storage base
Kind: global class