Version: v0.0.0-...-94b69c0 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Aug 16, 2021 License: MIT


HPKE Message Encryption with Caddy Module


This repo is in development, do not use it in production! HPKE Schema is still a DRAFT and used implementation from cloudflare is still not stable and audited.


  • Middleware for Caddy
  • Decrypt payload of HPKE messages, redirect to destination from Caddyfile and encrypt response
  • Suitable for environment where preceding services do not guaranty a continuous TLS Connection.
  • HPKE Schema settings
    • KEM using X448 Diffie-Hellman function and HKDF with SHA-512.
      Because this is considered a safe curve with a high level of security.
    • KDF using HKDF with SHA-512.
    • AES-256 block cipher in Galois Counter Mode (GCM).
      Because, this is as an authenticated encryption algorithm which is widely known and used.

CPU Penalty

First benchmarks show that this middleware take around 1.5ms in CPU time. (In this very early state with no optimization)

cpu: AMD Ryzen 7 PRO 4750U with Radeon Graphics
BenchmarkEncryptAndDecryptRoundtrip-16    	     778	   1504594 ns/op	   63845 B/op	     528 allocs/op


Just add your private key in the caddyfile and all messages will be decrypted and responses encrypted.

:2019 {
        reverse_proxy :2020

        hpke {
                # Public Key NJV4AX2S...
                private_key "3473XZMGD..."

Use Case

Send a message from your Go application with the module encrypted with HPKE to a caddy server. This caddy server uses this extension to encrypt the message and acts as a reverse proxy. So you can ensure security based on the message and not based on transport security, which can be terminated or sniffed with SSL Inspection in controlled environments.


Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL