Skip to content

Latest commit

 

History

History
169 lines (130 loc) · 5.92 KB

README.md

File metadata and controls

169 lines (130 loc) · 5.92 KB

tiny-encrypt-rs

Important

To use tiny-encrypt, a Yubikey(https://www.yubico.com/products/) or MacBook with Secure Enclave get the best security effect, the key MUST support PIV or OpenPGP.

Tiny Encrypt written in Rust Programming Language

Specification: Tiny Encrypt Spec V1.1

Tiny encrypt rs is a Rust implementation of Tiny encrypt java https://git.hatter.ink/hatter/tiny-encrypt-java
Tiny encrypt spec see: https://github.com/OpenWebStandard/tiny-encrypt-format-spec

Repository address: https://git.hatter.ink/hatter/tiny-encrypt-rs mirror https://github.com/jht5945/tiny-encrypt-rs

Set default encryption algorithm:

export TINY_ENCRYPT_DEFAULT_ALGORITHM='AES' # or CHACHA20

Compile only encrypt:

cargo build --release --no-default-features

Install from git:

cargo install --git https://git.hatter.ink/hatter/tiny-encrypt-rs.git --features full-features

Edit encrypted file:

tiny-encrypt decrypt --edit-file sample.txt.tinyenc 

Read environment EDITOR or SECURE_EDITOR to edit file, SECURE_EDITOR write encrypted file to temp file.

Secure editor command format:

$SECURE_EDITOR <temp-file-name> "aes-256-gcm" <temp-key-hex> <temp-nonce-hex>

Encrypt config ~/.tinyencrypt/config-rs.json:

{
  "environment": {
    "TINY_ENCRYPT_DEFAULT_ALGORITHM": "AES or CHACHA20"
  },
  "namespaces": {
    "name": "/Users/example/.name"
  },
  "envelops": [
    {
      "type": "pgp-rsa",
      "kid": "KID-1",
      "desc": "this is key 001",
      "publicPart": "----- BEGIN PUBLIC KEY ..."
    },
    {
      "type": "piv-p256",
      "kid": "KID-2",
      "desc": "this is key 002",
      "publicPart": "04..."
    }
  ],
  "profiles": {
    "default": [
      "KID-1",
      "KID-2"
    ],
    "l2,leve2": [
      "KID-2"
    ]
  }
}

Kyber1024 usage: Generate static-kyber1024 keypair:

$ tiny-encrypt -K -a kyber1024 -n keyname
[OK   ] Keychain name: keyname
[OK   ] Public key   : a731b5032194c3d2ad01f36d64e859ca9738595c21aa19c852dac22f4...
[INFO ] Config envelop:
{
  "type": "static-kyber1024",
  "sid": "keyname",
  "kid": "keychain:a731b5032194c3d2ad01f36d64e859ca9738595c21aa19c852dac22f411036c7",
  "desc": "Keychain static",
  "args": [
    "keychain::tiny-encrypt:keyname"
  ],
  "publicPart": "a731b5032194c3d2ad01f36d64e859ca9738595c21aa19c852dac22f411036c..."
}

Then write file ~/.tinyencrypt/config-rs.json.

Last, config key id to profile.

Supported PKI encryption types:

Type Algorithm Description
pgp-rsa PKCS1-v1.5 OpenPGP Encryption Key (Previous pgp)
pgp-x25519 ECDH(X25519) OpenPGP Encryption Key
gpg OpenPGP GnuPG Command
static-x25519 ECDH(X25519) Key Stored in macOS Keychain Access
static-kyber1024 Kyber1024 Key Stored in macOS Keychain Access
piv-p256 ECDH(secp256r1) PIV Slot (Previous ecdh)
piv-p384 ECDH(secp384r1) PIV Slot (Previous ecdh-p384)
key-p256 ECDH(secp256r1) Key Stored in macOS Secure Enclave
piv-rsa PKCS1-v1.5 PIV Slot

Smart Card(Yubikey) protected ECDH Encryption description as below:

┌───────────────────┐                     ┌───────────────────────────┐
│Tiny Encrypt       │                     │Smart Card (Yubikey)       │
│                   │  Get Public Key(P)  │                           │
│                   │ ◄───────────────────┤ Private Key(d)            │
│                   │                     │ P = dG                    │
│                   │ Temp Private Key(k) │                           │
└───────────────────┘ Q = kG              └───────────────────────────┘

                      Shared Secret = kP = kdG

                      Store Q, Encrypt using derived key from Shared Secret


                      Send Q to Smart Card
                      ───────────────────►
                                          Shared Secret = dQ = kdG

                               Decrypt using derived key from restored Shared Secret

Environment

KEY Comment
TINY_ENCRYPT_DEFAULT_ALGORITHM Encryption algorithm, aes or chacha20
TINY_ENCRYPT_DEFAULT_COMPRESS File compress, 1 or on, default false
TINY_ENCRYPT_NO_PROGRESS Do not display progress bar
TINY_ENCRYPT_NO_DEFAULT_PIN_HINT Do not display default PIN hint
TINY_ENCRYPT_USE_DIALOGUER Use dialoguer
TINY_ENCRYPT_PIN PIV Card PIN
TINY_ENCRYPT_KEY_ID Default Key ID
TINY_ENCRYPT_AUTO_SELECT_KEY_IDS Auto select Key IDs
TINY_ENCRYPT_AUTO_COMPRESS_EXTS Auto compress file exts
TINY_ENCRYPT_PIN_ENTRY PIN entry command cli
SECURE_EDITOR Secure Editor
EDITOR Editor (Plaintext)