@dtinth/encrypted

Simple library for encrypted secrets with shared key powered by TweetNaCl.js.

Use cases

Secrets are long (e.g. private keys).
Don’t want to add each secret individually in e.g. Heroku, Vercel or GitHub Actions, but rather store a single secret that encrypts all the other secrets.

This module trades security for convenience. Please exercise caution when using this module.

Generate a secret key

The most convenient way to generate a secret key is to generate it from TweetNaCl.js’ website.

Generated an encrypted secret using the CLI

The package provides a CLI script, encrypt-json, which generates a JavaScript code that is ready to be copied-and-pasted into your project.

# If input is valid JSON, then it encrypts the input as JSON object.
# If you want to encrypt it as raw string, convert the input to JSON string first.
$ echo '{"thing":"to encrypt"}' | npx -p @dtinth/encrypted encrypt-json
encrypted(`
4aFTSND4ovcfmZT0KBlV7sEDBcN6jYoB.99RSnND3oxjBE1zzGn4fOazD5ydBfhqFV+UZDXz
cijbApO5W3JA=
`)

# If input is not valid JSON, then it encrypts the input as string.
$ echo 'string' | npx -p @dtinth/encrypted encrypt-json
encrypted(`
pd7/d01Xvm4K3Yy8GE/NLPbBpsq6k0+f.paKyrwMXncv7UzH9TCDiRvSEpSVf57CjftA=
`)

The CLI is aware of .env files.

Using the secret in your project

Require the @dtinth/encrypted package and use the generated code. When the code is run, it will decrypted the secret using the key specified in the ENCRYPTION_SECRET environment variable.

const encrypted = require('@dtinth/encrypted')()

const decodedSecret = encrypted(
  'BarWjHyYfhOowXguGxMQiUrMpDO2xwgM./5Ibctetf70d8rfZvESJbBUfFJ9D78gODjJqxXPFAfPbpfc='
)

Generated an encrypted secret programmatically

const { encrypt } = require('@dtinth/encrypted')()
encrypt({ thing: 'to encrypt' })