Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
crypto-pouch
Advanced tools
Plugin to encrypt a PouchDB database.
const PouchDB = require('pouchdb')
PouchDB.plugin(require('crypto-pouch'))
const db = new PouchDB('my_db')
// init; after this, docs will be transparently en/decrypted
db.crypto(password).then(() => {
// db will now transparently encrypt writes and decrypt reads
await db.put({ ... })
// you can disable transparent en/decryption,
// though encrypted docs remain encrypted
db.removeCrypto()
})
Crypto-Pouch encrypts documents using TweetNaCl.js, an audited encryption library. It uses the xsalsa20-poly1305 algorithm.
Note: Attachments cannot be encrypted at this point. Use {ignore: '_attachments'}
to leave attachments unencrypted. Also note that db.putAttachment
/ db.getAttachment
are not supported. Use db.put
and db.get({binary: true, attachment: true})
instead. (#18).
This only encrypts the contents of documents, not the _id or _rev, nor view keys and values. This means that _id
values always remain unencrypted, and any keys or values emitted by views are stored unencrypted as well. If you need total encryption at rest, consider using the PouchDB plugin ComDB instead.
This plugin is hosted on npm. To install it in your project:
$ npm install crypto-pouch
Set up encryption on the database.
password
: A string password, used to encrypt documents. Make sure it's good!options.ignore
: Array of strings of properties that will not be encrypted.You may also pass an options object as the first parameter, like so:
db.crypto({ password, ignore: [...] }).then(() => {
// database will now encrypt writes and decrypt reads
})
Disables encryption on the database and forgets your password.
If you replicate to another database, Crypto-Pouch will decrypt documents before sending them to the target database. Documents received through replication will be encrypted before being saved to disk.
If you change the ID of a document, Crypto-Pouch will throw an error when you try to decrypt it. If you manually move a document from one database to another, it will not decrypt correctly.
Encrypted documents have only one custom property, payload
, which contains the
encrypted contents of the unencrypted document. So, { hello: 'world' }
becomes
{ payload: '...' }
. This payload
value is produced by garbados-crypt; see that library for more details.
First, get the source:
$ git clone git@github.com:calvinmetcalf/crypto-pouch.git
$ cd crypto-pouch
$ npm i
Use the test suite:
$ npm test
When contributing patches, be a good neighbor and include tests!
See LICENSE.
FAQs
encrypted pouchdb/couchdb database
The npm package crypto-pouch receives a total of 313 weekly downloads. As such, crypto-pouch popularity was classified as not popular.
We found that crypto-pouch demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.