tokencrypt (3ncr.org)
3ncr.org is a standard for string encryption/decryption (algorithms + storage format). Originally it was intended for
encryption tokens in configuration files.
3ncr.org v1 uses modern cryptographic primitives (SHA3-256, AES-256-GCM) and is fairly simple:
header + base64(iv + data + tag)
Encrypted data looks like this 3ncr.org/1#pHRufQld0SajqjHx+FmLMcORfNQi1d674ziOPpG52hqW5+0zfJD91hjXsBsvULVtB017mEghGy3Ohj+GgQY5MQ
This is a golang implementation.
Usage
tokenCrypt := tokencrypt.NewTokenCrypt(secret, salt, 1000);
secret
and salt
- are encryption keys (technically one of them is key, another is salt, but you need to store them both somewhere, preferably in different places).
You can store them any preferred places: environment variables, files, shared memory, drive from hardware serial numbers or MAC addresses. Be creative.
1000
- is a number of PBKDF2 rounds.
The more is better and slower.
If you are sure that your secrets are long and random, you can keep this value reasonable low.
After you created an instance, you can just use Encrypt3ncr and DecryptIf3ncr methods:
token := "08019215-B205-4416-B2FB-132962F9952F"; // your secret you want to encrypt
encryptedSecretToken, _ := tokenCrypt.Encrypt3ncr(token);
// now encryptedSecretToken == "3ncr.org/1#pHRufQld0SajqjHx+FmLMcORfNQi1d674ziOPpG52hqW5+0zfJD91hjXsBsvULVtB017mEghGy3Ohj+GgQY5MQ"
// ... some time later in another context ...
decryptedSecretToken, _ = tokenCrypt.DecryptIf3ncr(encryptedSecretToken);
// now decryptedSecretToken == "08019215-B205-4416-B2FB-132962F9952F";
Method DecryptIf3ncr returns the same string if supplied argument does not start with 3ncr.org value. It is safe to pass through it all values from your configuration file.
Command line utility
tokencrypt-cmd
is an interactive command-line utility that does encryption/decryption