CLI for encryption and decryption of documents.
I am not a crypto expert - use at your own peril!
-
Initialisation. The vault is initialised with a password. A hash of this password is stored for later comparison (bcrypt). From this password we derive a root key, via a key derivation function (Argon2). We then generate a random document key, which will be used later for encryption/decryption of documents. We encrypt the document key using the root key, and store the result for later use.
-
Encryption/decryption. To encrypt/decrypt a document we need the unencrypted root key. This is obtained by first requesting the user for the vault password. If the provided password is correct (compare with stored hash) the root key is again derived from the password and used to decrypt the stored, encrypted document key. Once the unencrypted document key is obtained the document is simply encrypted/decrypted using this key (Advanced Encryption Standard, Galois Counter Mode).
-
Change password. Having both a password derived root key and a document key makes it relatively simple to change the vault password. Changing the vault password involves decryption of the root key using the old password and re-encryption using the new password. There is no need to re-encrypt documents!
> crypt help
Usage: crypt <command>
CLI for encryption and decryption of documents.
Commands:
* init
crypt init
Initialise the crypt vault.
* encrypt
crypt encrypt <srcpath> [dstpath]
Encrypt the document at srcpath and store the result at dstpath.
dstpath defaults to srcpath+".crypt".
* decrypt
crypt decrypt <srcpath> <dstpath>
Decrypt the document at srcpath and store the result at dstpath.
* change_password
crypt change_password
Change the crypt vault password.
* help
crypt help
Print this help.