Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@matrixai/polykey
Advanced tools
js-polykey is the library used in the distributed secret sharing PolyKey
app. You can find the actual application here. A polykey node is comprised of one or many Vaults to store Secrets. These vaults are encrypted with keys derived from the master private key. Secrets always remain encrypted on disk and are only decrypted in memory. All you need to connect with and share secrets with another keynode on the same local area network is it's public key, poykey takes care of discovery. Once connected, you can securely share vaults with each other and polykey will ensure those vaults are synced.
PolyKey requires a public/private keypair for all crypto operations, this can be provided to a pre-initialized KeyManager instance before polykey is initialized or it can be generated (this is the default).
In order to better understand how the pieces of PolyKey fit together, use this dependency DAG as reference:
This class is responsible for managing the public and private keys as well as any crypto operations using those keys. The symmetric vault keys are also managed by this instance.
The KeyManager is able to be loaded separately to the PolyKey main class and then passed into PolyKey. This is useful for loading the keypair prior to initializing PolyKey.
// Initialize key manager first const keyManager = new KeyManager() await keyManager.loadKeyPair('./keys/private.key', './keys/public.key') // Initialize polykey instance const pk = new PolyKey(keyManager)
The key manager class can generate new symmetric keys using key derivation and the loaded private key
const newKey = await keyManager.generateKey('secret passphrase')
PolyKey uses jest to test:
jest
Note: sometimes grpc-js can complain about the ssl certificates in tmp/
with a non-descriptive error of "No connection established". Best way to solve this is to remove the certs, start the CA server and re-issue the certs with ./scripts/generate_ssl_certs.sh
.
Here is a demo of the CLI on asciinema.
The PolyKey CLI exposes various git-style sub commands that can be used to manipulate the PolyKey node:
Usage: polykey [options] [command] Options: --version output the current version -h, --help display help for command Commands: keys manipulate keys secrets manipulate secrets for a given vault vaults manipulate vaults crypto crypto operations agent control the polykey agent help [command] display help for command
Usage looks like the following:
polykey agent ... polykey vaults ... # Sub commands are heirarchical like so: polykey vaults new ... polykey secrets delete ...
PolyKey also exposes a helpful alias, pk
, to make typing out commands a little quicker:
pk secrets ... pk crypto ...
If you ever get stuck, every sub command has a help flag:
# Either one of -h or --help will do pk -h pk vaults --help pk secrets new -h
With this command you can manipulate the polykey agent including starting/restarting/stopping the agent, creating/importing a new polykey node, and getting the agent status.
Usage: polykey agent [options] [command] control the polykey agent Options: -h, --help display help for command Commands: start [options] start the agent restart [options] restart the agent status retrieve the status of the agent stop [options] stop the agent list|ls [options] list all the nodes controlled by the node create [options] create a new polykey node load [options] load an existing polykey node help [command] display help for command
Example usage:
# managing the polykey agent pk agent stop pk agent start # restart the agent as a daemon pk agent restart -d pk agent status # agent status is 'online' # create a new polykey node pk agent create -k '~/NewPolykeyNode' -n 'John Smith' -e 'john@email.com' -p 'passphrase' # load an existing node pk agent load -k '~/NewPolykeyNode' -p 'passphrase' # list the nodes managed by agent pk agent list # ~/NewPolykeyNode
Note: Polykey also provides the ability to set an environment variable, PK_PATH
, instead of specifying the node path with -k '~/NewPolykeyNode'
This command is used to interact with PolyKey's KeyManager. With this command you can generate new keys, list keys and more.
Usage: polykey keys [options] [command] manipulate keys Options: -h, --help display help for command Commands: new [options] derive a new symmetric key delete [options] delete a symmetric key from the key manager list|ls [options] list all symmetric keys in the keynode get [options] get the contents of a specific symmetric key primary [options] get the contents of the primary keypair help [command] display help for command
Example usage:
# create a new key pk keys new -n 'NewKey' -p 'Key Passphrase' # deleting an existing key pk keys delete -n 'NewKey' # list all existing keys pk keys list # 'NewKey' # list primary key with private key included pk keys primary -p # Public Key: # -----BEGIN PGP PUBLIC KEY BLOCK----- # ... # -----END PGP PUBLIC KEY BLOCK----- # # Private Key: # -----BEGIN PGP PRIVATE KEY BLOCK----- # ... # -----END PGP PRIVATE KEY BLOCK-----
The vaults sub command lets you manipulate vaults, e.g. to list the existing vaults, add a new vault or destroy an old vault.
Usage: polykey vaults [options] [command] manipulate vaults Options: -h, --help display help for command Commands: list|ls [options] list all available vaults new [options] create new vault(s) delete|del [options] delete an existing vault help [command] display help for command
Example usage:
# create a new vault pk vaults add 'NewVault' # list all existing vaults pk vaults ls # 'NewVault' # delete a vault pk vaults delete 'NewVault'
The secrets sub command lets you manipulate secrets in a specific vault such as adding new secrets, removing old secrets or modifying existing secrets. In addition, polykey can inject variables into a modified environment with the pk secrets env
command.
Usage: polykey secrets [options] [command] manipulate secrets for a given vault Options: -h, --help display help for command Commands: list|ls [options] list all available secrets for a given vault new [options] create a secret within a given vault, specify an secret path with '<vaultName>:<secretName>' update [options] update a secret within a given vault, specify an secret path with '<vaultName>:<secretName>' delete|del [options] delete a secret from a given vault, specify an secret path with '<vaultName>:<secretName>' get [options] retrieve a secret from a given vault, specify an secret path with '<vaultName>:<secretName>' env [options] run a modified environment with injected secrets, specify an secret path with '<vaultName>:<secretName>' help [command] display help for command
Example usage:
# add a new secret pk secrets add -f '~/SeretFile' NewVault:NewSecret # list names of all secrets within specific vaults pk secrets list NewVault AnotherVault # 1. NewVault:NewSecret # 2. AnotherVault:AnotherSecret # delete secrets pk secrets delete NewVault:NewSecret AnotherVault:AnotherSecret # retrieve a secret pk secrets get NewVault:NewSecret # <NewSecretContent> # enter a modified environment with injected secrets pk secrets env NewVault:NewSecret=SECRET_1 AnotherVault:AnotherSecret=SECRET_2 # enter a modified environment with injected secrets and execute a command pk secrets env NewVault:NewSecret=SECRET_1 --command="echo $SECRET_1"
The crypto sub command allows you to perform asymmetric cryptography operations (sign/encrypt/verify/decrypt) on files using the loaded public/prvate keypair.
Usage: polykey crypto [options] [command] crypto operations Options: -h, --help display help for command Commands: verify [options] verification operations sign [options] signing operations [files] encrypt [options] encryption operations decrypt [options] decryption operations help [command] display help for command
Example usage:
# sign a file and store as a detached signature pk crypto sign ./file # creates ./file.sig # verify a file pk crypto verify -f ./file.sig # encrypt a file pk crypto encrypt ./file # decrypt a file pk crypto decrypt ./file
TODO: explain verbosity levels when it is implemented
All .proto
files are stored in the the proto
directory. JavaScript and type definition files are build using the following command:
npm run build:proto
protoc \
--proto_path=src/proto/schemas \
--plugin=protoc-gen-grpc="$(which grpc_node_plugin)" \
--js_out=import_style=commonjs,binary:src/proto/js \
--ts_out="src/proto/js" \
--grpc_out=grpc_js:src/proto/js \
./src/proto/schemas/*.proto
or
protoc \
--proto_path=src/proto/schemas \
--plugin=protoc-gen-grpc="$(which grpc_node_plugin)" \
--js_out=import_style=commonjs,binary:src/proto/js \
--grpc_out=grpc_js:src/proto/js \
./src/proto/schemas/*.proto
Once we have grpc-tools packaged properly.
# builds the dependency graph
arkit ./src -o ./media/dependencies.png
typedoc --media ./media
Other build instructions above ^.
FAQs
Polykey Core Library
The npm package @matrixai/polykey receives a total of 3 weekly downloads. As such, @matrixai/polykey popularity was classified as not popular.
We found that @matrixai/polykey demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.