aspis 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 185a743d7eac9bf51be9f4fe226230f1f80c40a62a4bb0f0369220225df4b1ce
+  data.tar.gz: ae52af9fd222c6d38c749e0c768bc27f33f141e0dd628e750b689ed31e10eabd
+SHA512:
+  metadata.gz: 36b039f303d773fef53aeeaef29d0991a30d7c4093d9e52e6d755e4876ce1c5836efdbfa3b348329b7d1101f6b9c6aa27853009ee2a353885a1c14af161cf22e
+  data.tar.gz: 2a987e228220b1996b5de171e05f1bdc91ad7f10892b65903df24c3ea30ae5f4153506421f562f336f19310a551042cc2e1e512ca4516e7a88feb5164db96021

data/.gitignore

@@ -0,0 +1 @@
+Gemfile.lock

data/Gemfile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in aspis.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,13 @@
+Copyright (c) 2020, Joseph Fierro <joseph.fierro@logosnetworks.com>
+
+Permission to use, copy, modify, and/or distribute this software for any purpose
+with or without fee is hereby granted, provided that the above copyright notice
+and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
+TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
+THIS SOFTWARE.

data/README.md

@@ -0,0 +1,99 @@
+## aspis
+aspis is an encryption filter gem that encrypts anything it receives from stdin and sends the ciphertext to stdout. 
+It relies on Libsodium (via RbNaCl) for its cryptographic primitives. Output is in JSON format.
+
+-  Cipher: XSalsa20-Poly1305
+-  Public Keys: Curve25519
+-  Key exchange: X25519 (static-static Diffie Hellman)
+-  Password-based key derivation: Argon2i
+-  Nonces are randomly generated.
+
+### Setup
+aspis requires Libsodium and the Ruby gem RbNaCl.
+
+To improve security, aspis is cryptographically signed. 
+It is strongly encouraged to verify this signature before installing the 
+aspis gem.
+
+First, add my cert:
+```
+gem cert --add <(curl -Ls https://raw.github.com/jsfierro/aspis/certs/jsfierro.pem)
+```
+Then install the gem:
+```
+gem install aspis -P MediumSecurity
+```
+"MediumSecurity" will verify the signature on aspis, but not its dependencies in case they are
+not signed. "HighSecurity" will require signatures on all dependencies as well. 
+
+Or to build and install from Github:
+```
+$ git clone https://github.com/jsfierro/aspis
+$ cd aspis
+# bundle exec rake install
+```
+
+### Usage
+Basic syntax:
+```
+aspis [-n] [-o] [-m] -e|-d|-g
+```
+The flags -e or -d tell aspis to encrypt or decrypt respectively. 
+The -g flag creates a new keypair in the ~/.aspis directory, creating that directory if necessary.
+
+If used with the -n option, aspis will look for the password in the environment
+variable ASPIS_PASS rather than asking for it on the command line. This is useful if
+you want to use aspis in a script, but environment variables are not as secure as they may seem.
+It is best to disable your shell's history if using this option to prevent something like 
+```
+export ASPIS_PASS=p@ssw0rd
+```
+from appearing in the shell's history file. 
+
+To manually tweak Argon2i's CPU ops and memory parameters, use the -o and -m 
+options. Memory is specified in MiB.
+
+Simple example of encrypting a message with a password-derived key:
+```
+echo "hello" | aspis -e
+```
+Encrypt file.pdf and write the output to file.enc:
+```
+aspis -e file.pdf > file.enc
+```
+Encrypt a file piped via cat(1) and send it over the network with netcat:
+```
+cat file.pdf | aspis -e | nc 192.168.1.1 4444
+```
+Alice encrypts a file for Bob, using his public key and her default private key located in ~/.aspis:
+```
+aspis -e -p bob-pubkey message-for-bob.txt > message-for-bob.enc
+```
+Bob would decrypt the above file like so:
+```
+aspis -d -p alice-pubkey message-for-bob.enc > message-for-bob.txt
+```
+To send an encrypted email to Bob, you can use aspis with mutt like so:
+```
+echo "top secret message for Bob" | aspis -e -p bob-pubkey | mutt -s "Urgent, read immediately" bob@mailercorp.com
+```
+Bob would then open the email in mutt, and press "|" to pipe the message to an external command. To decrypt, he would
+grep for the aspis portion of the email, then pipe that into aspis:
+```
+grep ciphertext | aspis -d -p alice-pubkey
+```
+The now decrypted message body will be displayed.
+
+### Security considerations
+aspis uses the NaCl crypto_box function underneath (via Libsodium) for its public key cryptography. 
+Key exchanges in asymmetric mode are static-static Diffie Hellman, which means that the shared key between 2 parties will be the same for all
+of their communication. One desirable property of static-static DH (or "full static" as it is sometimes known) is that it provides
+mutual authentication. Once Alice and Bob have each other's public keys, they can be sure that future messages 1.) can only be decrypted by Alice or Bob, and 2.) are actually from Alice or Bob.
+
+The unfortunate part of this scheme is that their shared key is always the same, until one of them changes their long-term keys. This means that if an 
+attacker is able to compromise either Alice or Bob's key, it exposes all past messages between them. A scheme that provides forward secrecy would only expose messages encrypted with the compromised key, not all messages. However, this is harder to do for the asynchronous communication for which aspis is likely to be used.
+
+
+I took the view that key impersonation is easier for an attacker and thus more likely than key compromise, and chose a scheme that provides mutual authentication to counter this. Yes, I am aware of its drawbacks. 
+
+Consult the NaCl paper for formal discussion of the cryptography used in aspis: https://cr.yp.to/highspeed/naclcrypto-20090310.pdf

data/Rakefile

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+task default: :spec

data/aspis.1

@@ -0,0 +1,73 @@
+.\"
+.\"Copyright (c) 2020 Joseph Fierro <joseph.fierro@logosnetworks.com>
+.\"
+.\"Permission to use, copy, modify, and distribute this software for any
+.\"purpose with or without fee is hereby granted, provided that the above
+.\"copyright notice and this permission notice appear in all copies.
+.\"
+.\"THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\"WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\"MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\"ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.Dd $Mdocdate: May 9 2020 $
+.Dt ASPIS 1
+.Os
+.Sh NAME
+.Nm aspis
+.Nd Encryption filter utility
+.Sh SYNOPSIS
+.Nm aspis
+.Fl h 
+.Nm aspis
+.Op Fl n
+.Op Fl o Ar ops
+.Op Fl m Ar memory
+.Op Fl p Ar public_key
+.Op Fl k Ar private_key
+.Fl e
+.Fl d
+.Fl g
+.Sh DESCRIPTION
+.Nm
+is an encryption utility that encrypts anything it reads from stdin and sends the ciphertext to 
+stdout in JSON format. It relies on Libsodium (via RbNaCl) for its crypto primitives.
+
+The following options select the operation:
+.Bl -tag -width Dsssigfile
+.It Fl h
+Print out usage information and exit
+.It Fl n
+The nopass option. Looks for passphrases in the environment variable ASPIS_PASS
+instead of asking for them on the command line. This is useful for embedding
+.Nm
+in scripts, but is less secure. It is recommended to disable shell history when using
+this feature to prevent something like "export ASPIS_PASS=p@ssw0rd" from being written
+to your shell's history file.
+.It Fl e
+Encrypt. Data will be read from stdin, and encrypted with XSalsa20-Poly1305
+with a key derived via Argon2i. Ciphertext and the header info will be sent to stdout
+in JSON format. 
+.It Fl d
+Decrypt.
+.It Fl g
+Generate new key pair. This will look for the directory ~/.aspis, create it if necessary,
+and create the files "public_key" and "private_key" there. The public_key can be freely distributed.
+.Nm
+will read from stdin and write the plaintext to stdout. 
+.It Fl o Ar ops
+The ops parameter (number of iterations) for Argon2i. The default is 10, and minimum is 3.
+.It Fl m Ar memory
+The memory to be consumed by Argon2i, in MiB. Default is 1024, and minimum is 64.
+.It Fl p Ar public_key
+When encrypting, the recipient's public key. When decrypting a message sent to you, the sender's public key.
+.It Fl k Ar private_key
+Your private key. If this option is omitted,
+.Nm
+will look in the ~/.aspis directory for a file called "private_key" and use that by default.
+.El
+.Pp
+.Sh AUTHOR
+Joseph Fierro <joseph.fierro@logosnetworks.com>

data/aspis.gemspec

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'aspis/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'aspis'
+  spec.version       = Aspis::VERSION
+  spec.authors       = ['Joseph Fierro']
+  spec.email         = ['joseph.fierro@logosnetworks.com']
+  spec.cert_chain       = ['certs/jsfierro.pem']
+  spec.signing_key      = File.expand_path("~/.ssh/gem-private_key.pem") if $0 =~ /gem\z/
+
+  spec.summary       = 'command line encryption tool using rbnacl'
+  spec.homepage      = 'https://github.com/jsfierro/aspis'
+  spec.license       = 'ISC'
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_runtime_dependency 'rbnacl', '>= 7.0.0'
+  spec.add_development_dependency 'bundler', '>= 1.17'
+  spec.add_development_dependency 'rake', '>= 13.0.1'
+end

data/bin/console

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'bundler/setup'
+require 'aspis'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require 'irb'
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env sh
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/certs/jsfierro.pem

@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEbjCCAtagAwIBAgIBATANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDDCVqb3Nl
+cGguZmllcnJvL0RDPWxvZ29zbmV0d29ya3MvREM9Y29tMB4XDTIwMDUxOTIzNDIx
+MloXDTIxMDUxOTIzNDIxMlowMDEuMCwGA1UEAwwlam9zZXBoLmZpZXJyby9EQz1s
+b2dvc25ldHdvcmtzL0RDPWNvbTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoC
+ggGBAKMlytqAlJVr/1C2pfb9ecMSd9RSHhKB0FtBT19jUvGs5drds4vZOywVdVf6
+BEstZSnqUfwXkC8Y96nlYBlb7oVxHnNhoYijsxxAHDVJlhNvj1+zZMMtpgwdxCW8
+Ei9pJcVpIIABY31bG2ribxMoxThplGBmHeF+kMwszvH1EXGZRd+CZ8/7hgV27j4w
+Got0/6fxMN+OkfhA75sGjF5b7CiXqG290aLa5ts2xD81vBVUQz3X4wcddZe/TCEX
+GvJjDQi78DoBbjOZUmbqTFBA7+rUJhTjfjnJ7jKfxPcTjkUZWX6egZSLHEyzYhdk
+XjG8R6YanIEA0mhJZ0v7ood8diNii7TrvdcrkmzRxQW1Unp0sa17rNIoxehDE5fa
+ZVRWytp52okUVbMYBoV9Ukg5pvJXU8EAfIf4yclc/PMV2k2qaxfPFxdBhma9hrlF
+FDVGlM6SGzVFggpD04a4OWATqWvjoT2Nl9H9o3PRX/Vq8Iiv6r+JnMcC09tG2O+h
+i48HwQIDAQABo4GSMIGPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQW
+BBQaUvmMaP4VQp+k+WduTXxeEkCQJDAqBgNVHREEIzAhgR9qb3NlcGguZmllcnJv
+QGxvZ29zbmV0d29ya3MuY29tMCoGA1UdEgQjMCGBH2pvc2VwaC5maWVycm9AbG9n
+b3NuZXR3b3Jrcy5jb20wDQYJKoZIhvcNAQELBQADggGBADmpMf6ax1fn549BNxOT
+BrErMUCmxil+X+4J3JYdHqa2xFSc6l032TfNkt+uuXoBBIGJHw2rqZj6Su8fxpjU
+UCX5ZRY7flIEdFwSP4KrcVb8E7dQE7VQaU2UU/DUdds2Sec8g3b3oXuEMcUQITIK
+NF85RYv9WRUyRLI7yqs5HqGxxeLtYRZ9vaqNzMs/h658QfPmFWqsWL73Dx808jvx
+2pKrAvcVNEJ9mNI5SKy/6VNHzBBMTn1JBgTCEdpos5vMuA0PMQlgvc3GiPHw3gLH
+T9FE7HMc1aiO9utsli+EMOJ9wr4TLoN7e3J4ndH8jGg/46VbqIVGL/jQsFQCDqKI
+nM4hcwmd/0ss5wQBOx+5n36nR+Adb1HHOVXdX2P5ktxUEd4Xkt51q+NxO//RYngB
+GJRqwrLlLH1jf+y9mULfzRHWpAl2aXcxCW57d/+fCCeRz7+v9Qz/Eq2ieKucVeNi
+sEIE5PVGOPAiOJxBYbphEwugUb/AFjziPepwMN0jDLx6CQ==
+-----END CERTIFICATE-----

data/exe/aspis

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'aspis'
+
+AspisInit.init

data/lib/aspis.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require 'aspis/version'
+require 'aspis/asymmetric_encrypt'
+require 'aspis/asymmetric_decrypt'
+require 'aspis/symmetric_encrypt'
+require 'aspis/symmetric_decrypt'
+require 'aspis/generate_keys'
+require 'aspis/aspis_init'
+
+aspis_init if __FILE__ == $PROGRAM_NAME

data/lib/aspis/aspis_init.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+# Copyright (c) 2020 Joseph Fierro <joseph.fierro@logosnetworks.com>
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+require 'optparse'
+
+require_relative 'asymmetric_encrypt.rb'
+require_relative 'asymmetric_decrypt.rb'
+require_relative 'symmetric_encrypt.rb'
+require_relative 'symmetric_decrypt.rb'
+require_relative 'generate_keys.rb'
+require_relative 'version.rb'
+
+module AspisInit
+  def self.init
+    options = {}
+    OptionParser.new do |opts|
+      opts.banner = "Encryption filter utility.\n"
+
+      opts.version = Aspis::VERSION
+
+      opts.on('-e', '--encrypt', 'Encrypt') do
+        options[:mode] = 'encrypt'
+      end
+
+      opts.on('-d', '--decrypt', 'Decrypt') do
+        options[:mode] = 'decrypt'
+      end
+
+      opts.on('-g', '--generate', 'Generate key pair') do
+        options[:mode] = 'generate'
+      end
+
+      opts.on('-n', '--nopass', 'Use env variable ASPIS_PASS for passphrase') do
+        options[:ask_pass] = false
+      end
+
+      opts.on('-p', '--pubkey public_key', String, "Recipient's public key") do |p|
+        options[:public_key] = p
+      end
+
+      opts.on('-k', '--privatekey private_key', String, "Sender's private key") do |k|
+        options[:private_key] = k
+      end
+
+      opts.on('-o', '--opslimit opslimit', Integer, 'Argon2i ops parameter') do |o|
+        options[:opslimit] = o
+      end
+
+      opts.on('-m', '--memlimit memlimit', Integer, 'Argon2i memory in MiB') do |m|
+        options[:memlimit] = m
+      end
+
+      opts.on('-h', '--help', 'Displays help') do
+        puts opts
+        exit
+      end
+    end.parse!
+
+    abort('Fatal error: must enter -g, -e, or -d') unless options[:mode]
+
+    run(options)
+  end
+
+  def self.run(options)
+    if options[:public_key]
+      unless options[:private_key]
+        aspis_dir = File.expand_path('~/.aspis')
+        options[:private_key] = aspis_dir + '/private_key'
+      end
+    end
+
+    case options[:mode]
+    when 'encrypt'
+      if options[:public_key]
+        puts AsymmetricEncrypt.encrypt(ARGF.read, options[:public_key], options[:private_key], options[:ask_pass])
+      else
+        puts SymmetricEncrypt.encrypt(ARGF.read, options[:opslimit], options[:memlimit], options[:ask_pass])
+      end
+    when 'decrypt'
+      if options[:public_key]
+        puts AsymmetricDecrypt.decrypt(ARGF.read, options[:public_key], options[:private_key], options[:ask_pass])
+      else
+        puts SymmetricDecrypt.decrypt(ARGF.read, options[:ask_pass])
+      end
+    when 'generate'
+      GenerateKeys.generate(options[:opslimit], options[:memlimit], options[:ask_pass])
+    end
+  end
+end

data/lib/aspis/asymmetric_decrypt.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require 'rbnacl'
+require 'fileutils'
+require 'base64'
+require 'json'
+
+require_relative 'symmetric_decrypt.rb'
+
+module AsymmetricDecrypt
+  def self.decrypt(input, public_key, private_key, ask_pass)
+    sender_public_key = File.read(public_key)
+    sender_public_key = Base64.decode64(sender_public_key)
+
+    recipient_private_key = File.read(private_key)
+    recipient_private_key = SymmetricDecrypt.decrypt(recipient_private_key, ask_pass)
+
+    box = RbNaCl::SimpleBox.from_keypair(sender_public_key, recipient_private_key)
+
+    input = JSON.parse(input)
+    ciphertext = input['ciphertext']
+    ciphertext = Base64.decode64(ciphertext)
+    box.decrypt(ciphertext)
+  end
+end

data/lib/aspis/asymmetric_encrypt.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'rbnacl'
+require 'fileutils'
+require 'base64'
+require 'json'
+
+require_relative 'symmetric_decrypt.rb'
+require_relative 'version.rb'
+
+module AsymmetricEncrypt
+  def self.encrypt(plaintext, public_key, private_key, ask_pass)
+    recipient_public_key = File.read(public_key)
+    recipient_public_key = Base64.decode64(recipient_public_key)
+
+    sender_private_key = File.read(private_key)
+    sender_private_key = SymmetricDecrypt.decrypt(sender_private_key, ask_pass)
+
+    box = RbNaCl::SimpleBox.from_keypair(recipient_public_key, sender_private_key)
+    ciphertext = box.encrypt(plaintext)
+    ciphertext = Base64.strict_encode64(ciphertext)
+
+    output = { version: Aspis::VERSION,
+               ciphertext: ciphertext }
+    JSON.generate(output)
+  end
+end

data/lib/aspis/generate_keys.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require 'rbnacl'
+require 'fileutils'
+require 'base64'
+
+require_relative 'symmetric_encrypt.rb'
+
+module GenerateKeys
+  def self.generate(opslimit, memlimit, ask_pass)
+    aspis_dir = File.expand_path('~/.aspis')
+    FileUtils.mkdir_p(aspis_dir) unless Dir.exist?(aspis_dir)
+
+    private_key = RbNaCl::PrivateKey.generate
+    public_key = private_key.public_key
+    public_key = Base64.strict_encode64(public_key)
+
+    # Encrypt private key before writing to disk
+    private_key = SymmetricEncrypt.encrypt(private_key, opslimit, memlimit, ask_pass)
+
+    File.write(aspis_dir + '/private_key', private_key)
+    File.write(aspis_dir + '/public_key', public_key)
+    puts('Keys created in ~/.aspis')
+  end
+end

data/lib/aspis/symmetric_decrypt.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require 'rbnacl'
+require 'json'
+require 'base64'
+
+module SymmetricDecrypt
+  def self.decrypt(input, ask_pass)
+    input = JSON.parse(input)
+
+    salt = input['salt']
+    salt = Base64.decode64(salt)
+
+    ops = input['ops']
+    mem = input['mem']
+    key_size = input['key_size']
+
+    ciphertext = input['ciphertext']
+    ciphertext = Base64.decode64(ciphertext)
+
+    password = if ask_pass == false
+                 ENV['ASPIS_PASS']
+               else
+                 IO.console.getpass 'Enter passphrase: '
+               end
+
+    key = RbNaCl::PasswordHash.argon2i(
+      password,
+      salt,
+      ops,
+      mem,
+      key_size
+    )
+
+    box = RbNaCl::SimpleBox.from_secret_key(key)
+    box.decrypt(ciphertext)
+  end
+end

data/lib/aspis/symmetric_encrypt.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require 'rbnacl'
+require 'json'
+require 'base64'
+require 'io/console'
+
+module SymmetricEncrypt
+  def self.timingsafe_compare(secret1, secret2)
+    check = secret1.bytesize ^ secret2.bytesize
+    secret1.bytes.zip(secret2.bytes) { |x, y| check |= x ^ y.to_i }
+    check.zero?
+  end
+
+  def self.kdf_gen(salt, opslimit, memlimit, ask_pass)
+    if ask_pass == false
+      password = ENV['ASPIS_PASS']
+    else
+      password = IO.console.getpass('Enter passphrase: ')
+      password2 = IO.console.getpass('Confirm passphrase: ')
+      unless timingsafe_compare(password, password2)
+        abort('Passphrases do not match')
+      end
+    end
+
+    RbNaCl::PasswordHash.argon2i(
+      password,
+      salt,
+      opslimit,
+      memlimit,
+      32
+    )
+  end
+
+  def self.encrypt(plaintext, opslimit, memlimit, ask_pass)
+    opslimit ||= 10
+    abort('Error: KDF opslimit must be >= 3') if opslimit < 3
+
+    memlimit ||= 1024
+    abort('Error: KDF memory must be >= 64 MiB') if memlimit < 64
+    memlimit = 1_048_576 * memlimit
+
+    salt = RbNaCl::Random.random_bytes(RbNaCl::PasswordHash::Argon2::SALTBYTES)
+
+    key = kdf_gen(salt, opslimit, memlimit, ask_pass)
+
+    box = RbNaCl::SimpleBox.from_secret_key(key)
+    ciphertext = box.encrypt(plaintext)
+
+    ciphertext = Base64.strict_encode64(ciphertext)
+    salt = Base64.strict_encode64(salt)
+
+    output = { version: Aspis::VERSION,
+               salt: salt,
+               ops: opslimit,
+               mem: memlimit,
+               key_size: 32,
+               ciphertext: ciphertext }
+
+    JSON.generate(output)
+  end
+end

data/lib/aspis/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Aspis
+  VERSION = '0.1.0'
+end

metadata

@@ -0,0 +1,132 @@
+--- !ruby/object:Gem::Specification
+name: aspis
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Joseph Fierro
+autorequire: 
+bindir: exe
+cert_chain:
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIEbjCCAtagAwIBAgIBATANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDDCVqb3Nl
+  cGguZmllcnJvL0RDPWxvZ29zbmV0d29ya3MvREM9Y29tMB4XDTIwMDUxOTIzNDIx
+  MloXDTIxMDUxOTIzNDIxMlowMDEuMCwGA1UEAwwlam9zZXBoLmZpZXJyby9EQz1s
+  b2dvc25ldHdvcmtzL0RDPWNvbTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoC
+  ggGBAKMlytqAlJVr/1C2pfb9ecMSd9RSHhKB0FtBT19jUvGs5drds4vZOywVdVf6
+  BEstZSnqUfwXkC8Y96nlYBlb7oVxHnNhoYijsxxAHDVJlhNvj1+zZMMtpgwdxCW8
+  Ei9pJcVpIIABY31bG2ribxMoxThplGBmHeF+kMwszvH1EXGZRd+CZ8/7hgV27j4w
+  Got0/6fxMN+OkfhA75sGjF5b7CiXqG290aLa5ts2xD81vBVUQz3X4wcddZe/TCEX
+  GvJjDQi78DoBbjOZUmbqTFBA7+rUJhTjfjnJ7jKfxPcTjkUZWX6egZSLHEyzYhdk
+  XjG8R6YanIEA0mhJZ0v7ood8diNii7TrvdcrkmzRxQW1Unp0sa17rNIoxehDE5fa
+  ZVRWytp52okUVbMYBoV9Ukg5pvJXU8EAfIf4yclc/PMV2k2qaxfPFxdBhma9hrlF
+  FDVGlM6SGzVFggpD04a4OWATqWvjoT2Nl9H9o3PRX/Vq8Iiv6r+JnMcC09tG2O+h
+  i48HwQIDAQABo4GSMIGPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQW
+  BBQaUvmMaP4VQp+k+WduTXxeEkCQJDAqBgNVHREEIzAhgR9qb3NlcGguZmllcnJv
+  QGxvZ29zbmV0d29ya3MuY29tMCoGA1UdEgQjMCGBH2pvc2VwaC5maWVycm9AbG9n
+  b3NuZXR3b3Jrcy5jb20wDQYJKoZIhvcNAQELBQADggGBADmpMf6ax1fn549BNxOT
+  BrErMUCmxil+X+4J3JYdHqa2xFSc6l032TfNkt+uuXoBBIGJHw2rqZj6Su8fxpjU
+  UCX5ZRY7flIEdFwSP4KrcVb8E7dQE7VQaU2UU/DUdds2Sec8g3b3oXuEMcUQITIK
+  NF85RYv9WRUyRLI7yqs5HqGxxeLtYRZ9vaqNzMs/h658QfPmFWqsWL73Dx808jvx
+  2pKrAvcVNEJ9mNI5SKy/6VNHzBBMTn1JBgTCEdpos5vMuA0PMQlgvc3GiPHw3gLH
+  T9FE7HMc1aiO9utsli+EMOJ9wr4TLoN7e3J4ndH8jGg/46VbqIVGL/jQsFQCDqKI
+  nM4hcwmd/0ss5wQBOx+5n36nR+Adb1HHOVXdX2P5ktxUEd4Xkt51q+NxO//RYngB
+  GJRqwrLlLH1jf+y9mULfzRHWpAl2aXcxCW57d/+fCCeRz7+v9Qz/Eq2ieKucVeNi
+  sEIE5PVGOPAiOJxBYbphEwugUb/AFjziPepwMN0jDLx6CQ==
+  -----END CERTIFICATE-----
+date: 2020-05-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rbnacl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.0.0
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.17'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.17'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 13.0.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 13.0.1
+description: 
+email:
+- joseph.fierro@logosnetworks.com
+executables:
+- aspis
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- aspis.1
+- aspis.gemspec
+- bin/console
+- bin/setup
+- certs/jsfierro.pem
+- exe/aspis
+- lib/aspis.rb
+- lib/aspis/aspis_init.rb
+- lib/aspis/asymmetric_decrypt.rb
+- lib/aspis/asymmetric_encrypt.rb
+- lib/aspis/generate_keys.rb
+- lib/aspis/symmetric_decrypt.rb
+- lib/aspis/symmetric_encrypt.rb
+- lib/aspis/version.rb
+homepage: https://github.com/jsfierro/aspis
+licenses:
+- ISC
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: command line encryption tool using rbnacl
+test_files: []