Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/SocialGouv/aes-gcm-rsa-oaep

Kubeseal aes-gcm-rsa-oaep encryption implementaton in TypeScript
https://github.com/SocialGouv/aes-gcm-rsa-oaep

cryptography kubernetes sealed-secrets

Last synced: 18 days ago
JSON representation

Kubeseal aes-gcm-rsa-oaep encryption implementaton in TypeScript

Host: GitHub
URL: https://github.com/SocialGouv/aes-gcm-rsa-oaep
Owner: SocialGouv
Fork: true (cberthou/aes-gcm-rsa-oaep)
Created: 2021-02-11T18:55:33.000Z (almost 4 years ago)
Default Branch: master
Last Pushed: 2024-11-12T10:21:21.000Z (about 1 month ago)
Last Synced: 2024-11-12T11:25:34.306Z (about 1 month ago)
Topics: cryptography, kubernetes, sealed-secrets
Language: TypeScript
Homepage: http://socialgouv.github.io/webseal
Size: 304 KB
Stars: 10
Watchers: 2
Forks: 1
Open Issues: 1
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        # AES-GCM + RSA OAEP encryption  

AES-GCM + RSA-OAEP encryption/decryption using WebCrypto API in NodeJS or in the browser

Tests uses `@peculiar/webcrypto` for polyfilling browser crypto api.

This can be used to replace [kubeseal](https://github.com/bitnami-labs/sealed-secrets) encryption in JavaScript environments.

See demo : http://socialgouv.github.io/webseal

## Usage

### High level

```js

import { encryptValue, encryptValues, getSealedSecret } from "@socialgouv/aes-gcm-rsa-oaep"

// encrypt single value

const encryptedValue =  encryptValue({

  pemKey: "somekey",

  scope: "cluster",

  namespace: "dev",

  name: "my-secret",

  value: "plain-value";

});

// encrypt multiple values

const encryptedValue =  encryptValues({

  pemKey: "somekey",

  scope: "cluster",

  namespace: "dev",

  name: "my-secret",

  values: {

    value1: "plain1",

    value2: "plain2"

  }

});

// get sealed-secret

const sealedSecret =  getSealedSecret({

  pemKey: "somekey",

  scope: "cluster",

  namespace: "dev",

  name: "my-secret",

  values: {

    value1: "plain1",

    value2: "plain2"

  }

});

```

## Low level

```js

import { pki } from 'node-forge';

import { HybridEncrypt, pemPublicKeyToCryptoKey } from '@socialgouv/aes-gcm-rsa-oaep';

const publicKeyPem = pki.publicKeyToPem(cert.publicKey);

const publicKey = await pemPublicKeyToCryptoKey(publicKeyPem);

const plainText = 'Bonjour le monde';

const label = Buffer.from('');

const result = await HybridEncrypt(publicKey, plainText, label);

const sealedText = Buffer.from(result).toString('base64');

```

## Encryption Algorithm

To encrypt content, we go through the following steps :

-   Generate a 128 bits AES key

-   Encrypt the payload using the AES-GCM algorithm (with the previously generated key). We use a 12 bits of 0 as IV, because the key is only used once.

-   Encrypt the AES key using the RSA-OAEP algorithm (using the provided public key).

-   Generate the output payload this way :

  (RSA payload length as 2 bytes integer) || (RSA encrypted aes key) || (AES encrypted payload)