Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
js-polykey is the library used in the distributed secret sharing PolyKey
app. You can find the actual application here. A polykey node is comprised of one or many Vaults to store Secrets. These vaults are encrypted with keys derived from the master private key. Secrets always remain encrypted on disk and are only decrypted in memory. All you need to connect with and share secrets with another keynode on the same local area network is it's public key, poykey takes care of discovery. Once connected, you can securely share vaults with each other and polykey will ensure those vaults are synced.
PolyKey requires a public/private keypair for all crypto operations, this can be provided to a pre-initialized KeyManager instance before polykey is initialized or it can be generated (this is the default).
The major dependencies of js-polykey are:
This class is responsible for managing the public and private keys as well as any crypto operations using those keys. The symmetric vault keys are also managed by this instance.
The KeyManager is able to be loaded separately to the PolyKey main class and then passed into PolyKey. This is useful for loading the keypair prior to initializing PolyKey.
// Initialize key manager first const keyManager = new KeyManager() await keyManager.loadKeyPair('./keys/private.key', './keys/public.key') // Initialize polykey instance const pk = new PolyKey(keyManager)
The key manager class can generate new symmetric keys using key derivation and the loaded private key
const newKey = await keyManager.generateKey('secret passphrase')
PolyKey uses jest to test:
jest
The tests also rely on certificates being available in the tmp folder and environment variables set to a valid certificate authority run on the network somewhere. Please see .env.example
for an example of these environment variables. Certificates can be generated with ./scripts/generate_ssl_certs.sh
as long as a step-ca is running on the specified url in .env
.
Note: sometimes grpc-js can complain about the ssl certificates in tmp/
with a non-descriptive error of "No connection established". Best way to solve this is to remove the certs, start the CA server and re-issue the certs with ./scripts/generate_ssl_certs.sh
.
Here is a demo of the CLI on asciinema.
The PolyKey CLI exposes various git-style sub commands that can be used to manipulate the PolyKey node:
Commands: config [options] configure polykey keymanager manipulate the keymanager node network operations on the current polykey node secrets manipulate secrets for a given vault vaults manipulate vaults crypto crypto operations help [command] display help for command
Usage looks like the following:
polykey node ... polykey vaults ... # Sub commands are heirarchical like so: polykey vaults add ... polykey secrets remove ...
PolyKey also exposes a helpful alias, pk
, to make typing out commands a little quicker:
pk secrets ... pk crypto ...
If you ever get stuck, every sub command has a help flag:
# Either one of -h or --help will do pk -h pk vaults --help pk secrets add -h
With this command you can manipulate the configuration of PolyKey including changing the password, importing new private and public keys and changing the path to polykey.
Options: -pub, --public-key provide the path to an existing public key -priv, --private-key provide the path to an existing private key -pass, --private-passphrase provide the passphrase to the private key -path, --polykey-path provide the polykey path. defaults to ~/.polykey -v, --verbose increase verbosity by one level
Example usage:
# Change the location of PolyKey, perhaps to another node on the same computer pk config --polykey-path='~/PolyKeyNode2' # Import a new public key pk config -pub ./keys/publicKey.txt
You can also easily clear the config to start fresh:
pk config clear
If one of the required configuration parameters is missing from the config store, PolyKey will prompt you for it on the next command.
This command is used to interact with PolyKey's KeyManager. With this command you can generate new keys, import keys and more. TODO: add commands to interact with the keymanager
Commands: derive [options] manipulate the keymanager
The node sub command lets you control the daemon responsible for network operations.
Commands: start start the polykey node stop stop the polykey node
TODO: add commands to interact with the node
The vaults sub command lets you manipulate vaults, e.g. to list the existing vaults, add a new vault or destroy an old vault.
Commands: list|ls [options] list all available vaults add create new vault(s) remove [options] destroy an existing vault
Command examples:
# List names of all existing vaults pk vaults ls # Create a new vault called 'SecureVault' pk vaults add 'SecureVault' # Remove 'SecureVault' pk vaults remove --vault-name='SecureVault' # Remove all vaults at once pk vaults remove -a
The secrets sub command lets you manipulate secrets in a specific vault including to add new secrets, remove old secrets and modify existing secrets.
Commands: list|ls [options] list all available secrets for a given vault add [options] add a secret to a given vault remove [options] remove a secret from a given vault
Command examples:
# List names of all secrets within 'SecureVault' pk secrets list --vault-name='SecureVault' # Add a new secret named 'Secret' to 'SecureVault pk secrets add --vault-name='SecureVault' --secret-name='Secret' # Remove 'Secret' from 'SecureVault' pk secrets remove --vault-name='SecureVault' --secret-name='Secret'
The crypto sub command allows you to perform asymmetric cryptography operations (sign/encrypt/verify/decrypt) on files using the loaded public/prvate keypair. PolyKey signs and verifies files using a detached signature TODO: add encryption and decryption
Commands:
sign [options] verification operations
verify [options] signing operations
Command examples:
pk crypto sign ./file --signing-key='./my_priv_key' --key-passphrase='password'
# If no signing key is provided, polykey will use the loaded private key
pk crypto sign ./file
pk crypto verify ./signed_file --verifying-key='./my_pub_key' --detach-sig='./signed_file.sig'
# If no verifying key is provided, polykey will use the loaded public key
pk crypto verify ./signed_file --detach-sig='./signed_file.sig'
TODO: explain verbosity levels when it is implemented
All .proto
files are stored in the the proto
directory. JavaScript and type definition files are build using the following command:
npm run build:proto
FAQs
Polykey Core Library
The npm package polykey receives a total of 486 weekly downloads. As such, polykey popularity was classified as not popular.
We found that polykey demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.