node-crypto-wrapper
Advanced tools
Straightforward syntax wrapped around the Node.js functions to encrypt and decrypt files and strings
For one-line encryption of strings or buffers, using Node's built-in crypto functions.
const cwrap = require('node-crypto-wrapper');
let encryptedBuffer = cwrap.encryptBinary(Buffer, password);
let decryptedBuffer = cwrap.decryptBinary(encryptedBuffer, password);
let encryptedHexString = cwrap.encryptString("string", password);
let decryptedString = cwrap.decryptString("hex string", password);
If no password is provided, it uses a user-specific key.
node-crypto-wrapper <options> <input> <output>
Options:
<e: encrypt> | <d: decrypt>
<f: from file> | <s: from string>
<f: to file> | <s: to string>
<p: password> | <u: user>
Examples:
# Encrypts a file with a user key, decrypts it again
$ node-crypto-wrapper effu plain.txt encrypted.txt
$ node-crypto-wrapper dffu encrypted.txt plain_again.txt
# Encrypts a string with a given key, decrypts it again
$ node-crypto-wrapper essp
$ node-crypto-wrapper dssp
Encrypted files are encoded as hex, and then written as text files - so any combination of options should work interchangeably. You can encrypt a string directly to a file, without having to create a plaintext version of the file (or vice versa) if desired.
The original use case is: "configuration files with passwords* in them"
* I'm using "passwords" as shorthand for "anything sensitive you might put in a config file"
The most popular answers I've seen are:
I wrote and used this utility so that the config file could be encrypted for the application user, while assigning the developer-admins group the permissions necessary to go into the website's directory and do what they needed, there.
$ node-crypto-wrapper esfu config.encrypted
# enter JSON at the prompt
-----
const cwrap = require('node-crypto-wrapper');
const encryptedJson = fs.readFileSync('config.encrypted').toString();
const configJson = cwrap.decryptString(encryptedJson);
const config = JSON.parse(configJson);
The original motivation was in dealing with a legacy system, where moving all of this to another CI platform wasn't a viable option.
However, generally with CI/build systems, administrators can read those passwords! There are some conceivable situations in which you may not want a build admin to have all of the passwords that a production server needs... Though, in general, I'd probably stick to just using your CI's built-in secrets manager.
You could, but it's a lot easier to screw up permissions when you have one or two files in a directory that aren't readable by people who can read the rest of the directory. It could also cause cross-platform headaches, or trouble with other commands, like moving or copying files.
Of course. Nobody you don't trust should be able to log directly into a production server and do things without going through source control and code review.
But, there's still a level of risk mitigation between having an account that can be locked out in one place, and handing over a list of passwords, each of which would have to be changed when a person left the company.
A malicious user who's got access to the website directory could still write an API endpoint that dumped all of the configuration variables into a JSON response and then go hit that page... I've met plenty of people that would never ever do that, but just might see a password in front of their face, copy/paste it over to their laptop so they could just run a test against real data, and forget they left it there. Haven't you?
One of my party guests could take a mould of my house keys when I wasn't looking, but that's a different level of (mis)trust than handing out copies of my keys as party favors.
Yes. But Microsoft solutions aren't hip or trendy.
Jokes aside, even if you were a 100% Microsoft shop, chances are you'll need an API from a third party at some point.
Same concept as this one, but I think a bit less user friendly. http://lmgtfy.com/?q=encrypted+config+file+.net
FAQs
Straightforward syntax wrapped around the Node.js functions to encrypt and decrypt files and strings
The npm package node-crypto-wrapper receives a total of 0 weekly downloads. As such, node-crypto-wrapper popularity was classified as not popular.
We found that node-crypto-wrapper demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
An advanced npm supply chain attack is leveraging Ethereum smart contracts for decentralized, persistent malware control, evading traditional defenses.
Security News
Research
Attackers are impersonating Sindre Sorhus on npm with a fake 'chalk-node' package containing a malicious backdoor to compromise developers' projects.
Security News
The npm package for the LottieFiles Player web component was hit with a supply chain attack after a software engineer's npmjs credentials were compromised.