{"id":19621361,"url":"https://github.com/commenthol/vault-nacl","last_synced_at":"2025-08-31T04:07:06.879Z","repository":{"id":57390947,"uuid":"193782283","full_name":"commenthol/vault-nacl","owner":"commenthol","description":"A symmetric encrypted vault using tweetnacl elliptic curves","archived":false,"fork":false,"pushed_at":"2022-05-17T04:03:29.000Z","size":46,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-07-30T08:32:43.003Z","etag":null,"topics":["elliptic-curves","nacl","vault"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/commenthol.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-06-25T20:56:28.000Z","updated_at":"2022-05-08T06:51:11.000Z","dependencies_parsed_at":"2022-09-19T04:31:36.262Z","dependency_job_id":null,"html_url":"https://github.com/commenthol/vault-nacl","commit_stats":null,"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"purl":"pkg:github/commenthol/vault-nacl","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/commenthol%2Fvault-nacl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/commenthol%2Fvault-nacl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/commenthol%2Fvault-nacl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/commenthol%2Fvault-nacl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/commenthol","download_url":"https://codeload.github.com/commenthol/vault-nacl/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/commenthol%2Fvault-nacl/sbom","scorecard":{"id":300858,"data":{"date":"2025-08-11","repo":{"name":"github.com/commenthol/vault-nacl","commit":"5129adf87db312f13bcab1c9c904c030b73c056b"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3,"checks":[{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Code-Review","score":0,"reason":"Found 0/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}}]},"last_synced_at":"2025-08-17T20:35:22.725Z","repository_id":57390947,"created_at":"2025-08-17T20:35:22.725Z","updated_at":"2025-08-17T20:35:22.725Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":272936429,"owners_count":25018161,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-31T02:00:09.071Z","response_time":79,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["elliptic-curves","nacl","vault"],"created_at":"2024-11-11T11:22:40.287Z","updated_at":"2025-08-31T04:07:06.855Z","avatar_url":"https://github.com/commenthol.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# vault-nacl\n\n\u003e A symmetric encrypted vault using [tweetnacl][] elliptic curves\n\n[![NPM version](https://badge.fury.io/js/vault-nacl.svg)](https://www.npmjs.com/package/vault-nacl/)\n\n\u003c!-- [![Build Status](https://secure.travis-ci.org/commenthol/vault-nacl.svg?branch=master)](https://travis-ci.org/commenthol/vault-nacl) --\u003e\n\nAllows to symmetrically encrypt dedicated values in a configuration file,\nor the complete file itself, using one password.\n\nImplements [xsalsa20-poly1305 secretbox][] and [pbkdf2][] with different digests\nfor safe encryption.\n\nDefault is sha256 (310000 iterations) which can be changed to 'sha384', 'sha512'\n(120000 iterations).\n\nUses `VAULT_NACL(...)` markers with Base64 encrypted secret inside the vault to\nidentify encrypted values for decryption.\n\nNew values attributed with `VAULT_NACL(...)VAULT_NACL` are used for later\nencryption.\n\nChoose the CLI or API to fit your usecase.\n\n[xsalsa20-poly1305 secretbox]: https://www.npmjs.com/package/tweetnacl#secret-key-authenticated-encryption-secretbox\n[pbkdf2]: https://tools.ietf.org/html/rfc8018\n\n## toc\n\n\u003c!-- !toc (minlevel=2 omit=\"toc\") --\u003e\n\n* [installation](#installation)\n* [usage cli](#usage-cli)\n* [api](#api)\n  * [enc-decrypt](#enc-decrypt)\n  * [vault](#vault)\n* [internals](#internals)\n* [license](#license)\n\n\u003c!-- toc! --\u003e\n\n## installation\n\n```\nnpm install --save vault-nacl\n```\n\n## usage cli\n\n_Encrypt single value_\n\n```bash\n$ vault-nacl encrypt\n✔ Vault password · ***************\n✔ Confirm Vault password · ***************\n✔ Secret · *********\nVAULT_NACL(AQAQJwAA6mwY4MkxGLKi4T0IZaOeh5Ul7iUv7SRzYK50xQR8iYNOXZQ9+lmSSb8PYkkk5zITgbCC/HbAJJ2B)\n```\n\n_Decrypt single value_\n\n```bash\n$ vault-nacl decrypt\n✔ Vault password · ***************\n✔ Vault · VAULT_NACL(AQAQJwAA6mwY4MkxGLKi4T0IZaOeh5Ul7iUv7SRzYK50xQR8iYNOXZQ9+lmSSb8PYkkk5zITgbCC/HbAJJ2B)\nmy secret\n```\n\n_Encrypt a configuration file_\n\n```bash\necho {\"secret\":\"VAULT_NACL(my secret hidden value)VAULT_NACL\"} \u003e config.json\n\n$ vault-nacl encrypt config.json\n✔ Vault password · ***************\n✔ Confirm Vault password · ***************\n\n$ cat config.json\n{\"secret\":\"VAULT_NACL(AQAQJwAA+XJjGfdtC8jCt7xsWoPBCz2p/qs5MXpzmsqV5jFGCm6xfZgKcADzu3glf1z/5KxKaFFJbtCvX5rAqh/jq3UhRsMHHirldw==)\"}\n```\n\n_Decrypt a configuration file_\n\n```bash\n$ vault-nacl decrypt config.json\n✔ Vault password · ***************\n✔ Confirm Vault password · ***************\n{\"secret\":\"my secret hidden value\"}\n```\n\nSee `vault-nacl --help` for complete list of options.\n\nOr take a look at the [man-page][].\n\n[man-page]: https://github.com/commenthol/vault-nacl/blob/master/man/vault-nacl.md\n\n## api\n\n### enc-decrypt\n\n_asynchronous_\n\n`EncDec` handles `VAULT_NACL(...)` encoded strings in strings or objects.\n\n```js\nconst { EncDec } = require('vault-nacl')\nconst password = '$€creT'\nconst secret = { mySecret: `VAULT_NACL(a $€Cr3T secret)VAULT_NACL` }\n\nconst encdec = new EncDec(password)\nconst result = await encdec.encrypt(secret)\n//\u003e  { mySecret: 'VAULT_NACL(AQAQJwAA+CWBR7...+qAo=)' }\n\nawait encdec.decrypt(result)\n//\u003e { mySecret: 'a $€Cr3T secret' }\n```\n\n_synchronous_\n\n`EncDecSync` handles `VAULT_NACL(...)` encoded strings in strings or objects\nsynchronously.\n\n\u003e NOTE: This function is blocking.\n\n```js\nconst { EncDecSync } = require('vault-nacl')\nconst password = '$€creT'\nconst secret = { mySecret: `VAULT_NACL(a $€Cr3T secret)VAULT_NACL` }\n\nconst encdec = new EncDecSync(password)\nconst result = encdec.encrypt(secret)\n//\u003e  { mySecret: 'VAULT_NACL(AQAQJwAA+CWBR7...+qAo=)' }\n\nencdec.decrypt(result)\n//\u003e { mySecret: 'a $€Cr3T secret' }\n```\n\n### vault\n\n`Vault` provides the interface to en- and decryption.\n\n_asynchronous_\n\n```js\nconst { Vault } = require('vault-nacl')\n\nconst password = '$€creT'\n\nasync function main() {\n  const vault = new Vault(password)\n\n  const ciphertext = await vault.encrypt('my secret message')\n  const orginal = await vault.decrypt(ciphertext)\n  //\u003e 'my secret message'\n\n  vault.clear() // clear password\n}\nmain()\n```\n\n_synchronous_\n\nThis example uses a different digest and iterations:\n\n```js\nconst { Vault } = require('vault-nacl')\n\nconst password = '$€creT'\n\nconst vault = new Vault(password, { digest: 'sha512', iterations: 20000 })\nconst ciphertext = vault.encryptSync('my secret message')\nconst orginal = vault.decryptSync(ciphertext)\n//\u003e 'my secret message'\n\nvault.clear() // clear password\n```\n\n## internals\n\nFormat of the base64 encrypted secret:\n\n**Version 1**\n\n| 1 Byte    | 1Byte  | 4Bytes     | 32Bytes | n-Bytes      |\n| --------- | ------ | ---------- | ------- | ------------ |\n| version=1 | digest | iterations | salt    | boxed secret |\n\n- digest: digest index. See src/Vault.js DIGESTS\n  0='sha256', 1='sha384', 2='sha512', 3='ripemd', 4='whirlpool'\n- iterations: Number of iterations. Default 310000\n- salt: Used salt for key derivation\n\n## license\n\nMIT licensed\n\n[tweetnacl]: https://npmjs.com/package/tweetnacl\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcommenthol%2Fvault-nacl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcommenthol%2Fvault-nacl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcommenthol%2Fvault-nacl/lists"}