{"id":15149827,"url":"https://github.com/backbone-hq/minibone","last_synced_at":"2025-04-09T16:01:53.153Z","repository":{"id":231206783,"uuid":"779723160","full_name":"backbone-hq/minibone","owner":"backbone-hq","description":"🔐 Singleplayer end-to-end encryption library for the web","archived":false,"fork":false,"pushed_at":"2025-03-28T19:16:42.000Z","size":167,"stargazers_count":187,"open_issues_count":0,"forks_count":3,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-09T16:00:51.256Z","etag":null,"topics":["cryptography","e2ee","encryption","end-to-end-encryption","security","webcrypto"],"latest_commit_sha":null,"homepage":"https://backbone.dev","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/backbone-hq.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-03-30T15:47:26.000Z","updated_at":"2025-03-28T19:16:45.000Z","dependencies_parsed_at":null,"dependency_job_id":"3c86d64d-1125-4b6f-9f4d-4f9adede9bea","html_url":"https://github.com/backbone-hq/minibone","commit_stats":null,"previous_names":["backbone-hq/minibone"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/backbone-hq%2Fminibone","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/backbone-hq%2Fminibone/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/backbone-hq%2Fminibone/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/backbone-hq%2Fminibone/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/backbone-hq","download_url":"https://codeload.github.com/backbone-hq/minibone/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248065295,"owners_count":21041871,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptography","e2ee","encryption","end-to-end-encryption","security","webcrypto"],"created_at":"2024-09-26T14:01:10.864Z","updated_at":"2025-04-09T16:01:53.110Z","avatar_url":"https://github.com/backbone-hq.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ![Minibone](https://github.com/backbone-hq/minibone/blob/master/media/minibone.png?raw=true)\n\n![Build Status](https://img.shields.io/github/actions/workflow/status/backbone-hq/minibone/main.yml?branch=master)\n![GitHub License](https://img.shields.io/github/license/backbone-hq/minibone)\n![NPM Version](https://img.shields.io/npm/v/minibone?logo=npm)\n![Made by Backbone](https://img.shields.io/badge/made_by-backbone-blue)\n\nMinibone is a compact, versatile, and misuse-resistant library designed to make incorporating end-to-end encryption in your applications **remarkably simple**. It allows you to store and manage your users' sensitive data while ensuring that only the users themselves can access and decrypt the information — helping you minimize the blast radius of breaches, meet compliance requirements, enhance privacy, and build trust.\n\nBuilding _secure-by-design_ applications is _hard_. Minibone makes it _practical_.\n\n### 🏗️ Background\n\nMinibone is built atop the [Web Crypto API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API). It's restricted to a _conservative_ suite of symmetric algorithms for quantum resistance and robustness.\n\nSpecifically, Minibone uses `AES-GCM-256` for encryption, `HKDF-SHA-256` for key derivation, and `PBKDF2-SHA-256` with 500,000 iterations for password-based key derivation. Minibone also opts to keep its dependencies to the bare minimum to reduce the risk of supply-chain attacks.\n\n### ☢️ Threat Model\n\nMinibone is designed to run on a `client` device (e.g., your desktop, mobile, or web-based app), storing data with a `provider` (e.g., a SaaS platform) through a `communication channel` (e.g., HTTPS). In this scenario, Minibone is designed to assure confidentiality and integrity, but not availability [1] or freshness [2], when the `provider` and/or the `communication channel` are compromised.\n\nWe assume that the client application and device are not compromised and not otherwise vulnerable to side-channel attacks.\n\n1. A malicious `provider` could selectively delete data they store.\n   A compromised `communication channel` could selectively drop messages based on metadata.\n2. A malicious `provider` could selectively revert data to earlier versions.\n   A compromised `communication channel` could replay messages associated with earlier versions.\n\n### 💾 Installation\n\nMinibone is hosted on [NPM](https://www.npmjs.com/package/minibone). \nYou can add it to your project by running the `npm` command below or an equivalent command in your package manager.\n\n```bash\nnpm i minibone\n```\n\n### 📇 Usage\n\n```typescript\nimport Minibone from 'minibone'\n\n// Define a unique service identifier\nconst serviceIdentifier: any = 'my-unique-service-identifier'\n\n// Virtual API, communication channel and storage provider\nclass Backend {\n    private userBundles: Map\u003cstring, Uint8Array\u003e = new Map()\n    private dataBundles: Map\u003cstring, Uint8Array\u003e = new Map()\n\n    registerUser = async (uid: string, bundle: Uint8Array): Promise\u003cvoid\u003e =\u003e {this.userBundles.set(uid, bundle)}\n    fetchUser = async (uid: string): Promise\u003cUint8Array\u003e =\u003e this.userBundles.get(uid) ?? new Uint8Array()\n    putData = async (uid: string, data: Uint8Array): Promise\u003cvoid\u003e =\u003e {this.dataBundles.set(uid, data)}\n    fetchData = async (uid: string): Promise\u003cUint8Array\u003e =\u003e this.dataBundles.get(uid) ?? new Uint8Array()\n}\nconst virtualBackend = new Backend();\n\n// Register a user; initialize their minibone instance\nconst minibone: Minibone = await Minibone.create()\n\n// Encrypt and send the user's minibone to the provider\nconst userName: any = 'some-unique-user-name'\nconst payload: Uint8Array = await minibone.save('secure-user-secret', [serviceIdentifier, userName])\nawait virtualBackend.registerUser(userName, payload)\n\n// Encrypt user data\nconst data: any = {\n    sq6wmgv2zcsrix6t: 'BETWEEN SUBTLE SHADING AND THE ABSENCE OF LIGHT LIES THE NUANCE OF IQLUSION.',\n}\nconst encrypted: Uint8Array = await minibone.encrypt(data)\nawait virtualBackend.putData(minibone.uid, encrypted)\n\n// Fetch and load the user's minibone. You probably want to guard payload retrieval behind multi-factor authentication in production.\nconst payload: Uint8Array = await virtualBackend.fetchUser(userName)\nconst loadedMinibone: Minibone = await Minibone.load(payload, 'secure-user-secret', [serviceIdentifier, userName])\n\n// Decrypt data using the reconstructed minibone\nconst fetched: Uint8Array = await virtualBackend.fetchData(minibone.uid)\nconst decryptedData: any = await loadedMinibone.decrypt(fetched)\n```\n\n### 📢 Caveats\n\nMinibone is designed to be simple to use and difficult to abuse. That said, there are a few important aspects to keep in mind when interfacing with Minibone.\n\n1. It's important for the context vector (the second parameter of `minibone.save` and third parameter of `Minibone.load`) to be _globally_ unique to reduce the risk of key reuse and maximize the marginal cost of [rainbow table](https://en.wikipedia.org/wiki/Rainbow_table) attacks.\n2. When prompting end users for a passphrase or master secret, this secret **must** remain client-side. We recommend using a battle-tested password strength estimator (e.g., [zxcvbn](https://github.com/dropbox/zxcvbn)). **User secrets should be deleted immediately after use** to make it just that bit harder for attackers.\n\n### 🧩 Limitations\nMinibone relies _solely_ on symmetric cryptography. While this makes it robust against a number of contemporary and future attacks, it also makes data sharing, assured identity, access control, and real-time collaborative workflows infeasible to implement.\n\nMinibone's enterprise counterpart, [Backbone](https://backbone.dev), was designed from first principles to support complex multi-user, multi-enterprise workflows under total end-to-end encryption with a stricter threat model.\n\nIf these are a priority, reach out to us by emailing us at [root@backbone.dev](mailto:root@backbone.dev).\n\n---\n\nBuilt with 🦴 by [Backbone](https://backbone.dev)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbackbone-hq%2Fminibone","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbackbone-hq%2Fminibone","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbackbone-hq%2Fminibone/lists"}