{"id":31287468,"url":"https://github.com/azrod/cryptio","last_synced_at":"2025-09-24T11:04:03.176Z","repository":{"id":315872470,"uuid":"1060921426","full_name":"azrod/cryptio","owner":"azrod","description":"cryptio is a modern Go library for secure password-based encryption and decryption, featuring Argon2id key derivation and AES-GCM. Choose your desired security level—Standard, Medium, or High—for optimal protection and performance balance.","archived":false,"fork":false,"pushed_at":"2025-09-21T09:46:37.000Z","size":1393,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-21T10:26:52.722Z","etag":null,"topics":["argon2","argon2id","cryptography","decryption","encryption","golang","key-derivation","password-hashing","symetric-encryption"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/azrod.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-20T21:39:06.000Z","updated_at":"2025-09-21T09:48:13.000Z","dependencies_parsed_at":"2025-09-21T17:21:13.023Z","dependency_job_id":null,"html_url":"https://github.com/azrod/cryptio","commit_stats":null,"previous_names":["azrod/cryptio"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/azrod/cryptio","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/azrod%2Fcryptio","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/azrod%2Fcryptio/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/azrod%2Fcryptio/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/azrod%2Fcryptio/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/azrod","download_url":"https://codeload.github.com/azrod/cryptio/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/azrod%2Fcryptio/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":276737524,"owners_count":25695700,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-24T02:00:09.776Z","response_time":97,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["argon2","argon2id","cryptography","decryption","encryption","golang","key-derivation","password-hashing","symetric-encryption"],"created_at":"2025-09-24T11:01:40.932Z","updated_at":"2025-09-24T11:04:03.166Z","avatar_url":"https://github.com/azrod.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cimg align=\"left\" width=\"250\" src=\"logo-cryptio.png\" alt=\"Cryptio Logo\" /\u003e\n\n[![Go Reference](https://img.shields.io/badge/Go-Reference-%2300ADD8.svg?\u0026logo=go\u0026logoColor=white\u0026style=for-the-badge)](https://pkg.go.dev/github.com/azrod/cryptio)\n[![Go Report Card](https://goreportcard.com/badge/github.com/azrod/cryptio?style=for-the-badge)](https://goreportcard.com/report/github.com/azrod/cryptio)\n[![License: MIT](https://img.shields.io/github/license/azrod/cryptio?style=for-the-badge)](LICENSE)\n![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/azrod/cryptio?style=for-the-badge)\n\n**cryptio** is a Go library for symmetric encryption with Argon2id key derivation, offering multiple security levels and resource usage profiles suitable for a wide range of use cases.\n\n**Minimal \u0026 trusted dependencies:** \ncryptio relies only on official Go cryptography libraries ([golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto)) for robust, up-to-date security. No third-party or non-standard dependencies.\n\n\u003cbr/\u003e\n\u003cbr/\u003e\n\n## 🔑 Security Levels \u0026 Profiles\n\n### Security Levels\n\nA **SecurityLevel** defines the cryptographic strength of key derivation—how slow and memory-intensive the key derivation should be to resist brute-force or hardware attacks. \nHigher levels mean more security, but also more CPU/RAM usage and slower operations.\n\n- **UltraFast**: For testing/devices only, almost no protection against brute-force.\n- **Standard**: Strong and fast, recommended for most apps (follows OWASP guidance).\n- **Medium**: Enterprise-grade, NIST-compliant for regulated environments.\n- **High**: For highly sensitive data, critical production, health/finance.\n- **Extreme**: Vaults and ultra-secure secrets, very slow and memory-hungry.\n\n### Argon2 Profiles\n\nThe **Argon2Profile** controls the trade-off between CPU and RAM usage in Argon2id key derivation.\n\n- **RAMHeavy**: Uses a lot of RAM for best GPU/ASIC resistance, fast if enough memory.\n- **Balanced**: Good compromise between RAM and CPU.\n- **Tradeoff**: Lower RAM, higher CPU.\n- **CPUFavor**: Minimal RAM, high CPU.\n- **CPUHeavy**: Minimum RAM, maximum CPU (useful for RAM-constrained environments).\n\n**How it works:** \nWhen you create a cryptio client, you specify both a SecurityLevel and an Argon2Profile. \nThe library combines both to set Argon2id parameters (iterations, memory size, parallelism, salt/key/nonce sizes) to maximize security in line with your needs and hardware limits.\n\n---\n\n## 🛡️ Security Levels Table\n\n| Level | Encrypt/Decrypt Time | Memory Usage | Recommended Usage | Reference |\n|--------------|---------------------|--------------|--------------------------------------|-----------|\n| UltraFast | ~30–48 ms | ~7–46 MB | Test/devices only, **never production** | [OWASP-min](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html) |\n| Standard | ~81–209 ms | ~64 MB | Standard apps, default | [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id) |\n| Medium | ~140–233 ms | ~128 MB | Enterprise, compliance, multi-user | [NIST](https://pages.nist.gov/800-63-3/sp800-63b.html) |\n| High | ~388–485 ms | ~256 MB | Sensitive/critical data, dedicated servers | [Argon2](https://password-hashing.net/argon2-specs.pdf) |\n| Extreme | \u003e1.2 s | ~1 GB | Ultra-secure, vaults, critical secrets | [Argon2](https://password-hashing.net/argon2-specs.pdf) |\n\n\u003e **Benchmarks were run on Apple M1 Pro ARM64** \n\u003e Performance may vary depending on your hardware.\n\n\u003cdetails\u003e\n\u003csummary\u003eFull benchmarks results\u003c/summary\u003e\n\n```plain\ngoos: darwin\ngoarch: arm64\npkg: github.com/azrod/cryptio\ncpu: Apple M1 Pro\nBenchmarkEncryptDecrypt_AllCombinations/UltraFast+RAMHeavy-10 37 30166314 ns/op 48240476 B/op 31 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/UltraFast+Balanced-10 49 23723713 ns/op 19929020 B/op 39 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/UltraFast+Tradeoff-10 39 29310855 ns/op 16783549 B/op 47 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/UltraFast+CPUFavor-10 28 42729129 ns/op 16783817 B/op 55 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/UltraFast+CPUHeavy-10 24 47863599 ns/op 16784072 B/op 63 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/Standard+RAMHeavy-10 13 82086885 ns/op 67114944 B/op 39 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/Standard+Balanced-10 13 81937055 ns/op 67114937 B/op 39 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/Standard+Tradeoff-10 8 129755547 ns/op 67115194 B/op 47 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/Standard+CPUFavor-10 6 176435486 ns/op 67115453 B/op 55 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/Standard+CPUHeavy-10 5 208910383 ns/op 67115707 B/op 63 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/Medium+RAMHeavy-10 7 144040554 ns/op 134226194 B/op 64 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/Medium+Balanced-10 7 142956435 ns/op 134227268 B/op 66 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/Medium+Tradeoff-10 8 140065354 ns/op 134225982 B/op 64 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/Medium+CPUFavor-10 6 190983125 ns/op 134226706 B/op 76 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/Medium+CPUHeavy-10 5 233302508 ns/op 134226956 B/op 88 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/High+RAMHeavy-10 3 391281319 ns/op 268445229 B/op 79 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/High+Balanced-10 3 390867125 ns/op 268445602 B/op 77 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/High+Tradeoff-10 3 388630111 ns/op 268443885 B/op 76 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/High+CPUFavor-10 3 388122486 ns/op 268443917 B/op 76 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/High+CPUHeavy-10 3 484810695 ns/op 268444269 B/op 87 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/Extreme+RAMHeavy-10 1 1316354208 ns/op 1073755256 B/op 156 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/Extreme+Balanced-10 1 1267185542 ns/op 1073755160 B/op 155 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/Extreme+Tradeoff-10 1 1349435166 ns/op 1073755256 B/op 156 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/Extreme+CPUFavor-10 1 1265666000 ns/op 1073755608 B/op 156 allocs/op\nBenchmarkEncryptDecrypt_AllCombinations/Extreme+CPUHeavy-10 1 1263802834 ns/op 1073755256 B/op 156 allocs/op\n```\n\n\u003c/details\u003e\n\n### ℹ️ Why doesn't RAM usage change by profile from Standard upwards?\n\nStarting from the **Standard** security level and above, the memory (RAM) usage remains constant for all Argon2 profiles (RAMHeavy, Balanced, Tradeoff, CPUFavor, CPUHeavy). \nThis is because each security level enforces a **minimum memory requirement** recommended by security standards (such as OWASP and NIST). \nEven if you select a profile that would normally use less RAM (e.g., CPUHeavy), the library will **never allocate less memory than the minimum set by the security level**.\n\n- The **profile** can only increase memory usage above this minimum, not decrease it.\n- Below the Standard level (e.g., UltraFast), profiles have more impact and memory can vary.\n- This behavior ensures that security cannot be weakened by choosing a lower-resource profile at a high security level.\n\n**In summary:** \n\u003e From Standard and up, memory usage is fixed by security policy. Profiles only affect CPU usage (speed), not RAM, at these levels. This guarantees you never accidentally use weaker protection than the chosen level intends.\n\n---\n\n## ✅ How to choose the right security level?\n\n- **UltraFast** \n - Usage: Testing, prototyping, very limited IoT/mobile devices \n - _Not for production!_ (low brute-force resistance)\n- **Standard** \n - Usage: Web applications, APIs, microservices, general use \n - _Recommended default_ (strong security/performance balance)\n- **Medium** \n - Usage: Enterprise, regulated environments (GDPR, NIST), multi-user \n - _Reinforced security with moderate performance impact_\n- **High** \n - Usage: Highly sensitive data, health, finance, dedicated servers \n - _High security, requires significant resources_\n- **Extreme** \n - Usage: Vaults, enterprise secrets, critical infrastructure \n - _Maximum security, very slow, very high memory usage_\n\n**Tip:** Choose the lowest level compatible with your security policy and server workload. \nFor 99% of use cases, `Standard` or `Medium` are sufficient.\n\n---\n\n## 🔧 Usage\n\n```go\nimport \"github.com/azrod/cryptio\"\n\nfunc main() {\n // Choose the security level and profile that fit your needs\n client, err := cryptio.New(\"YourSuperSecurePassphrase\", cryptio.SecurityStandard, cryptio.ProfileBalanced)\n if err != nil {\n panic(err)\n }\n\n // Encrypt a string\n encrypted, err := client.Encrypt(\"Secret message\")\n if err != nil {\n panic(err)\n }\n\n // Decrypt a string\n decrypted, err := client.Decrypt(encrypted)\n if err != nil {\n panic(err)\n }\n\n // Encrypt binary data\n encryptedRaw, err := client.EncryptRaw([]byte{0x01, 0x02, 0x03})\n if err != nil {\n panic(err)\n }\n\n // Decrypt binary data\n decryptedRaw, err := client.DecryptRaw(encryptedRaw)\n if err != nil {\n panic(err)\n }\n}\n```\n\n---\n\n## 🔬 Security levels and profiles in code\n\n```go\ntype SecurityLevel int\n\nconst (\n SecurityUltraFast SecurityLevel = iota // Test, low-end devices, never production\n SecurityStandard // OWASP recommended (default)\n SecurityMedium // NIST, enterprise\n SecurityHigh // Critical, health, finance\n SecurityExtreme // Vault, ultra-high security\n)\n\ntype Argon2Profile int\n\nconst (\n ProfileRAMHeavy Argon2Profile = iota // Max RAM, fast\n ProfileBalanced // Balanced\n ProfileTradeoff // Lower RAM, more CPU\n ProfileCPUFavor // Favor CPU over RAM\n ProfileCPUHeavy // Min RAM, max CPU\n)\n```\n\n---\n\n## 🔗 References\n\n- [OWASP Password Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id)\n- [NIST SP 800-63B Digital Identity Guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html)\n- [Argon2 Password Hashing Competition Spec](https://password-hashing.net/argon2-specs.pdf)\n\n---\n\n## 🔑 Passphrase Recommendations\n\nFor maximum security, always use a **strong passphrase** as the root secret. The strength of your encryption is directly tied to the quality of your passphrase!\n\n**Recommended passphrase formats:**\n\n- **Length**: At least 16–20 characters (longer is better!)\n- **Content**: Use a mix of uppercase, lowercase, numbers, and symbols.\n- **Avoid dictionary words**: Do not use a single word or simple phrase.\n- **Prefer passphrases**: Combine several unrelated words or use a password manager to generate a strong random string.\n\n**Examples of strong passphrases:**\n\n- `7dnMFD$#s!grac?4pmCoG8b\u0026Simc8@Ytdh4B\u0026mHb` 🚀\n- `5RfMtsRXP4TCcEmYCfM3abj#A`\n- `bFP4o?BT8B$ki5yCoT#q`\n\n**Weak/passphrase examples to avoid:**\n\n- `password123`\n- `letmein`\n- `cryptio`\n\n\u003e **Tip:** Using a password manager is highly recommended to generate and store secure passphrases.\n\n---\n\n## 📝 Notes\n\n- Security depends on the strength of your passphrase!\n- Higher levels are very memory-intensive and can significantly slow down your application under load.\n- For most modern backends, `SecurityStandard` is enough, unless you have specific legal or industry requirements.\n\n---\n\n## ⚠️ Security Notice \n\nAlways have your cryptographic choices, parameters, and implementation reviewed and approved by your organization’s security team before deploying to production. \nSecurity requirements may vary depending on your context and regulations.\n\n**Disclaimer:** \n\u003e This software is provided “as is”, without warranty of any kind, express or implied. \n\u003e The authors and contributors are not responsible for any damages or losses resulting from the use or misuse of this library. \n\u003e You are solely responsible for evaluating its suitability and security for your use case.\n\n**Security Reporting:** \n\u003e If you discover a security issue or vulnerability, please refer to [SECURITY.md](./SECURITY.md) for instructions on how to report it responsibly.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fazrod%2Fcryptio","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fazrod%2Fcryptio","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fazrod%2Fcryptio/lists"}