ncypher 0.6.2 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: cfd1b3326757bdf0d4c6e574244fef35590c0e82
-  data.tar.gz: 256719f1a6f1ae607a368f53f409a1b6c006f4ca
+SHA256:
+  metadata.gz: 5ae6bde2a016dfd99b8749cb7e4f323d68ff240bfc89155a514613de302b02d9
+  data.tar.gz: 0d5911bb280ee42d10f34050feb5ccfa6d03d2dce8cead6d1912981ed6ca33ac
 SHA512:
-  metadata.gz: f75236a2af542fa8846200cc32bcd38e84fde0e72f8be468d41d1b03900b19f85795646dce6934a10e903877a1a86c09691aaf5993f39aadd88b799d7854de1e
-  data.tar.gz: ae27d9edee23c8ca7f38f69bd9b392f36fa8318fe14ad063a93d5756c5cda0467f9238da36c97fe7e85173223f5c8daecf5c74facdbd008e55593a0d564e3a2a
+  metadata.gz: f9b2cf4f291a6f56e36a1bff7a9b3adee281494835f93295092cbccffe2dacecaf656dbf0f9d0ba79a75bd055f232c41e3a51e5386aa8dd9fe768482bc42248f
+  data.tar.gz: 847d72ac2a8b21321a18c2eb4b6e49ee98ba6dd8dd7ac554ab25c0681c2ceff66f775064a1e573e11e97f8a12cea0112710b32400d6151786ee59b9c422dff17

data/.travis.yml

@@ -3,7 +3,7 @@ cache:
   bundler: true
 language: ruby
 rvm:
-  - 2.2.1
+  - 2.2.6
 before_install: gem install bundler -v 1.12.5
 script: bundle exec rake
 deploy:

data/README.md

@@ -68,7 +68,25 @@ defaults: &defaults
   my_password: <%= Ncypher::Ncypher.decrypt('lXEwfKv4dEjmK0kojEAnikNsLCsVCtSMiR2aSfM6uUXYn2DzCZ3O7SA9HaGnMp/kEEsI') %>
 ```
 
+## Password derived secret key
 
+In some cases you may want to derive a key from a particular password you have memorized. You can simply do:
+
+```
+$> ncypher derive_key p4$$w0rd
+R9RgHcFnuHr+86/7v3MdDyu3V63jh69VCPMXknA2v6E=
+SALT: 4+d4JTGTxRbtXs1vYScBYg==
+```
+
+You can see that the salt is randomly generated for security reasons. You should put that salt in a `.ncypher_salt` file in the current directory (this file can be pushed to your repository). So that the next time you do `ncypher derive_key p4$$w0rd` you get the exact same ncyper\_key generated.  
+Note that the salt is written on STDERR so you can directly do:
+
+```
+$> ncypher derive_key p4$$w0rd > .ncypher_key
+SALT: WKCAkJcS65nx3lA/w1BmBw==
+```
+
+Then you have the ncypher\_key in .ncypher\_key. Be sure to save the salt if you want to be able to derive back the exact same key in the future.
 
 
 ## Development

data/exe/ncypher

@@ -1,10 +1,10 @@
 #!/usr/bin/env ruby
-require 'ncypher'
+require "ncypher"
 
 begin
-  Object.const_get('Ncypher')
+  Object.const_get("Ncypher")
 rescue NameError
-  require 'bundler/setup'
+  require "bundler/setup"
 end
 
 SUB_COMMANDS = %w(generate_key encrypt decrypt)
@@ -12,6 +12,7 @@ SUB_COMMANDS = %w(generate_key encrypt decrypt)
 if ARGV.empty?
   STDERR.puts "Ncypher a credential encryption tool"
   STDERR.puts "usage: ncypher generate_key"
+  STDERR.puts "usage: ncypher derive_key <password> [salt]"
   STDERR.puts "usage: ncypher key"
   STDERR.puts "usage: ncypher encrypt <text>"
   STDERR.puts "usage: ncypher decrypt <text>"
@@ -20,14 +21,24 @@ end
 
 cmd = ARGV.shift
 case cmd
-  when "generate_key"
-    puts Ncypher::Ncypher.new.generate_key
-  when "key"
-    puts Ncypher::Ncypher.new.key_b64
-  when "encrypt"
-    text = (ARGV.shift || STDIN.read)
-    puts Ncypher::Ncypher.new.encrypt(text.strip)
-  when "decrypt"
-    text = (ARGV.shift || STDIN.read)
-    puts Ncypher::Ncypher.new.decrypt(text.strip)
+when "generate_key"
+  puts Ncypher::Ncypher.new.generate_key
+when "derive_key"
+  password = ARGV.shift
+  unless password
+    abort "ncypher derive_key <password> [salt]"
+  end
+  salt = File.exists?(".ncypher_salt") ? File.read(".ncypher_salt")&.strip : ARGV.shift
+  key, used_salt = Ncypher::Ncypher.new.derive_key(password.strip, salt)
+  STDOUT.puts key
+  STDERR.puts "SALT: #{used_salt}" # Put salt on stderr so we can do ncypher deriver_key password > .ncypher_key
+                                   # and keep salt out of .ncypher_key
+when "key"
+  puts Ncypher::Ncypher.new.key_b64
+when "encrypt"
+  text = (ARGV.shift || STDIN.read)
+  puts Ncypher::Ncypher.new.encrypt(text.strip)
+when "decrypt"
+  text = (ARGV.shift || STDIN.read)
+  puts Ncypher::Ncypher.new.decrypt(text.strip)
 end

data/lib/ncypher.rb

@@ -1,14 +1,14 @@
 require "ncypher/version"
 
-require 'base64'
-require 'rbnacl/libsodium'
-require 'rbnacl'
+require "base64"
+require "rbnacl/libsodium"
+require "rbnacl/password_hash"
 
-module Ncypher
+require "rbnacl"
 
+module Ncypher
   class Ncypher
-
-    def initialize(key_filename: '.ncypher_key', key: nil)
+    def initialize(key_filename: ".ncypher_key", key: nil)
       @key = key ? Base64.strict_decode64(key.strip) : nil
       @key_filename = key_filename
     end
@@ -26,12 +26,24 @@ module Ncypher
       Base64.strict_encode64(generated_key)
     end
 
+    def derive_key(password, encoded_salt = nil)
+      salt ||= encoded_salt ?
+        Base64.strict_decode64(encoded_salt) :
+        RbNaCl::Random.random_bytes(RbNaCl::PasswordHash::Argon2::SALTBYTES)
+
+      opslimit = 5
+      memlimit = 7_256_678
+      digest_size = RbNaCl::SecretBox.key_bytes
+      generated_key = RbNaCl::PasswordHash.argon2(password, salt, opslimit, memlimit, digest_size)
+      [Base64.strict_encode64(generated_key), Base64.strict_encode64(salt)]
+    end
+
     def key
       @key ||= begin
-                 saved_key = ENV['NCYPHER_KEY'] || find_keyfile
-                 abort "Can't find .ncypher_key file or NCYPHER_KEY env variable" if saved_key.nil?
-                 Base64.strict_decode64(saved_key.strip)
-               end
+        saved_key = ENV["NCYPHER_KEY"] || find_keyfile
+        abort "Can't find .ncypher_key file or NCYPHER_KEY env variable" if saved_key.nil?
+        Base64.strict_decode64(saved_key.strip)
+      end
     end
 
     def key_b64
@@ -50,6 +62,10 @@ module Ncypher
       Ncypher.new.generate_key
     end
 
+    def self.derive_key(password, salt = nil)
+      Ncypher.new.derive_key(password, salt)
+    end
+
     def self.key
       Ncypher.new.key
     end
@@ -59,18 +75,17 @@ module Ncypher
     end
 
     private
+
     def box
       RbNaCl::SimpleBox.from_secret_key(key)
     end
 
-    def find_keyfile(folder: '.')
+    def find_keyfile(folder: ".")
       path = "#{folder}/#{@key_filename}"
       return File.read(path) if File.exist?(path)
-      return nil if folder == '/'
+      return nil if folder == "/"
       folder = File.expand_path("#{folder}/../")
       find_keyfile(folder: folder)
     end
-
   end
-
 end

data/lib/ncypher/version.rb

@@ -1,3 +1,3 @@
 module Ncypher
-  VERSION = "0.6.2"
+  VERSION = "0.7.0"
 end

data/ncypher.gemspec

@@ -24,5 +24,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "minitest", "~> 5.0"
 
   spec.add_dependency 'rbnacl-libsodium', '~> 1.0'
-  spec.add_dependency 'rbnacl', '~> 3.0'
+  spec.add_dependency 'rbnacl', '~> 5.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ncypher
 version: !ruby/object:Gem::Version
-  version: 0.6.2
+  version: 0.7.0
 platform: ruby
 authors:
 - David Hagege
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-09-05 00:00:00.000000000 Z
+date: 2019-09-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -72,14 +72,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '5.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '5.0'
 description: ''
 email:
 - david.hagege@gmail.com
@@ -121,7 +121,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.13
+rubygems_version: 2.7.7
 signing_key: 
 specification_version: 4
 summary: Ncypher lets you encrypt/decrypt credentials in a safe and transparent way