Constructor
new SeaSalt_Keychain(sigopt, passwordopt, configopt)
Parameters
Key signature or initial config
Key password or keychain data
User configuration
Properties
Keychain configuration
Whether or not SeaSalt_Keychain is running in debugging mode
Hashing algorithm to use (sha256, sha512)
Length of the private key salt for hashing
Lock open keychains to try preventing write conflicts
Function for handling logging calls
Maximum length of time in milliseconds to keep a recovery key before automatically deleting it
Maximum number of recovery keys to keep per signature
Minimum password entropy required
Minimum password character length
Minimum password strength
Number of recovery tokens to generate when creating a new key
Length of the recovery code
Length of the public salt for hashing
Length of generates key signatures
Operate in read-only mode
Storage API bindings and settings (custom methods must interface localStorage)
Whether or not to record storage content checksums
Whether or not to enable localStorage.
Setting this to false
will disable keychain.read, keychain.write, keychain.purge, and keychain.rekey.
Include metadata in keychain.read() responses
Prefix for all storage keys
Function for reading from storage keys
Function for writing to storage keys
Function for deleting storage keys
Lists all found storage keys
Keychain state
Keychain configuration data keychain.keyconf
Stored secret boxes whose configuration has otherwise been deleted
Runtime ID for the new keychain instance
Examples
let keychain = new SeaSalt_Keychain();
let keychain = new SeaSalt_Keychain({
hash: sha256,
recoveryTokenCount: 3,
storage: {
prefix: 'mycustom:prefix:'
}
});
let keychain = new SeaSalt_Keychain('DpfXY1eKueSUXt4a', 'mypassword');
Methods
backup(sigsopt, configopt):JSZip|boolean
Generates a backup of all Keychain data or just the specified sigs. Requires JSZip dependency.
If you're looking to backup just the key configuration see keychain.export_key.
Parameters
Key signature or array of signatures to backup data for. Can also be a shortcut for config
or config.callback
.
Backup configuration or shortcut for config.callback
Include all keys when running decrypt mode
Callback to send generates Zip file
function(content) {
// content is zip file
}
Decrypt storage data for supplied keys.
let config = {sigs: {
sig1: 'password',
sig2: 'password',
...
}}
Returns
- Type
- :JSZip|boolean
Returns an instance of JSZip if no callback is provided in the backup configuration.
If a callback is provided, the backup zip file is sent to it.
Examples
let keychain = new SeaSalt_Keychain();
let zip = keychain.backup();
// see JSZip for more information on what to do with the return data
// FileSaver.js is a very handy tool for starting save file dialogs
keychain.backup(function(content) {
saveAs(content, 'mybackup.zip');
});
// generate a backup of just the provided signatures
keychain.backup({
sigs: {
sig1: 'password',
sig2: 'password'
}
});
// generate a decrypted backup for the provided signatures but include all other data
keychain.backup({
sigs: {
sig1: 'password',
sig2: 'password'
},
all: true
});
check(sig, userPassword):boolean
An alias for keychain.open(sig
, userPassword
, true
);
Parameters
Key signature to check
User password to check
Returns
- Type
- :boolean
Returns true or false
clean(config, scanopt):Object
Searches for orphaned data in the keychain and storage.
Parameters
String or array containing areas to check.
Possible values are: history, mode, storage, all
Scan only; do not delete matches
Returns
- Type
- :Object
Returns an object identifying orphaned items
{
"history": [],
"mode": [],
"storage": []
}
Examples
let keychain = new SeaSalt_Keychain();
keychain.clean('storage');
let keychain = new SeaSalt_Keychain();
keychain.clean(['storage', 'mode']);
// or all items
keychain.clean('all');
close():boolean
Close an opened key and erase all loaded settings
Returns
- Type
- :boolean
create(userPassword, configopt):Object|boolean
Create a new key configuration.
Recovery Codes
The recovery codes are used to access the recovery keys.
The recovery keys contain a copy of the original encryption key. A few are generated at creation and are stored in the keychain. You can create more later on.
If you have they keychain, then you only need the recovery codes to use the keys. If you lose the keychain entirely, then you can provide both the code and key at restoration time.
Modes
The key configuration can be set to either hash or aead encrypt the storage key name.
Mode 0 uses a salted SHA256 hash for the encrypted storage keys.
Mode 1 uses a salted SHA512 hash for the encrypted storage keys.
Parameters
Password for the key configuration
User configuration data
Storage key encryption mode (sha256=0, sha512=1)
Name for this key configuration
Returns
- Type
- :Object|boolean
Returns an object containing the key signature and recovery codes/keys or false on failure
Example
let keychain = new SeaSalt_Keychain();
keychain.create('mymuchbetterpassword');
// returns an object like
{
"sig": "DpfXY1eKueSUXt4a",
"codes": {
"333400752028": "8db9a168853bfa778b510f93b99f8783ba48f0b7a8a7c31eaf317437dc9f22b4...",
"686119075418": "6ccc93ea0679919986391ec327f7414587ff75641157532ddb736dcbca4498f4..."
}
}
create_recovery(sig, userPasswordopt, boxopt):Object
Generates a random code and corresponding secret box
Parameters
Key configuration signature
Hashed passphrase of the userPassword
Secret box to use for creating the recovery object
Returns
- Type
- :Object
Returns an object containing a recovery code and recovery key
Examples
let keychain = new SeaSalt_Keychain();
keychain.create_recovery('DpfXY1eKueSUXt4a', 'mygreatestpasswordyet')
// returns an object like
{
"code": "482559516047",
"token": "cd052b20c5dabb034975baae5c17e2b65521c5a9971fac10022874b557653e2f..."
}
// let's say we want to use the first key stored in the key history
let keychain = new SeaSalt_Keychain();
keychain.create_recovery('DpfXY1eKueSUXt4a', 'mygreatestpasswordyet', keychain.keys.DpfXY1eKueSUXt4a.history[0])
decrypt(ciphertext):string
Decrypt a provided ciphertext using the loaded key
Parameters
Ciphertext to decrypt
Returns
- Type
- :string
Returns the decrypted string
Example
let keychain = new SeaSalt_Keychain();
keychain.open('DpfXY1eKueSUXt4a', 'mygreatpassword33');
keychain.decrypt('1a0a8965c5995dbfbb9e32706805e0d7c3bcdd080107d8929cb36f358af25825eb82cab9e2ce38363ed6f3e999b785e1823185a8ce4272ac');
// using the example from keychain.encrypt the result would be: My secret string
destroy(sigopt, historyopt, purgeopt)
Destroys a key signature by deleting it from the keychain
Parameters
Key configuration signature to destroy (treated as history if boolean)
Whether or not to delete history data for this key configuration
Whether or not to purge all key data storage
Examples
// destroy the key configuration but do not delete the history or storage data
let keychain = new SeaSalt_Keychain();
keychain.destroy('DpfXY1eKueSUXt4a');
// destroy the key configuration, history and storage data
keychain.destroy('DpfXY1eKueSUXt4a', true, true);
// destroy all key configurations and data
keychain.destroy(true, true);
encrypt(string):string
Encrypt a string using the loaded key configuration encryption key.
Encryption utilizes AEAD with nonces. The same string and key will never result in the same ciphertext twice.
Parameters
String to encrypt
Returns
- Type
- :string
Returns the encrypted ciphertext
Example
let keychain = new SeaSalt_Keychain();
keychain.open('DpfXY1eKueSUXt4a', 'mygreatpassword33');
keychain.encrypt('My secret string');
// returns a string like: 1a0a8965c5995dbfbb9e32706805e0d7c3bcdd080107d8929cb36f358af25825eb82cab9e2ce38363ed6f3e999b785e1823185a8ce4272ac
error(message)
Forward an error and throw it
Parameters
Error message to throw
export_key(sigopt, rawopt):string
Export the current sig, specified sig, or all sigs keychain data
Parameters
Specific key signature, true for all, or none for currently opened key
Return the config objects instead of JSON
Returns
- Type
- :string
Returns a JSON object of the requested key configuration data
Example
let keychain = new SeaSalt_Keychain();
// export all key configurations
keychain.export_key();
// export a specific key configuration
keychain.export_key('DpfXY1eKueSUXt4a');
find_recovery(sig, code, boxesopt):Array
Check supplied code against all known or provided secret boxes
Parameters
Key configuration signature
Recovery code to attempt validating
Box or boxes to try validating against
Returns
- Type
- :Array
Returns an array of all matching secret boxes
Examples
let keychain = new SeaSalt_Keychain();
keychain.find_recovery('DpfXY1eKueSUXt4a', '482559516047');
// in this case, let's say you are able to provide a copy of the recovery code and token
let keychain = new SeaSalt_Keychain();
keychain.find_recovery('DpfXY1eKueSUXt4a', '482559516047', 'cd052b20c5dabb034975baae5c17e2b65521c5a9971fac10022874b557653e2f...');
get_keysalt():string
Get the private keysalt for the currently open key configuration
Returns
- Type
- :string
Returns the found keysalt value
hash(string, saltopt, hashopt):string
Hash an input using the configured hashing algorithm with optional salt
Parameters
String to hash
Salt to hash with
Hashing algorithm to use
Returns
- Type
- :string
Returns a hash of the input
import_key(data, sigopt, confirmopt, forceopt):Object
Imports a key configuration to the keychain
Parameters
JSON object of the key configuration data
Key configuration signature
Confirm overwrite of existing key configuration
Force use of custom key signature
Returns
- Type
- :Object
Returns an object with the key signature and save status
Example
let keychain = new SeaSalt_Keychain();
// import the configuration and return a new key signature
keychain.import_key('{"format":0,"mode":1,"box":"158754f8531b75aa1a9f40bbdf45551ef8144c48224bed5aa1bc083a7ab2a8ed...');
// import the configuration and overwrite an existing key signature
keychain.import_key('{"format":0,"mode":1,"box":"158754f8531b75aa1a9f40bbdf45551ef8144c48224bed5aa1bc083a7ab2a8ed...', 'DpfXY1eKueSUXt4a', true);
key(key):string
Converts a key to the encrypted-format key with format: prefix:key signature:type:format:mode:encrypted storage key
Example: seasalt:keychain:DpfXY1eKueSUXt4a:storage:0:1:a8c0b162cacd0cb76803da4c5eb0269e...
The encrypted storage key is a hash of the provided key and the private keysalt.
Parameters
Storage key name to modify
Returns
- Type
- :string
Returns a string containing the new storage key name
Example
let keychain = new SeaSalt_Keychain();
keychain.key('my storage key');
// returns a string like: seasalt:keychain:DpfXY1eKueSUXt4a:storage:0:1:aaac25a086bc3a30063ff2fd9fb4e3df5a9fbca2da9bfa02e0d0d216d447c0c7...
keyconf(configopt):object
Returns a new key configuration (generally for creation and restoration of key configurations)
Parameters
Keychain key configuration values
Secret box for the key
Key configuration name
Key configuration public salt
Storage key encryption mode
Key configuration format
Previous secret box strings
Recovery code objects
Returns
- Type
- :object
Example
let keychain = new SeaSalt_Keychain();
// the keys name, box, and salt are required
keychain.keyconf({
name: 'My config name',
box: 'Secret box string',
salt: 'Public salt'
});
listkeys():Array
Return a list of key configuration signatures
Returns
- Type
- :Array
lock(state, forceopt)
Change the lock state of the key signature in localStorage
Parameters
Lock (true
) or unlock (false
) the keychain
Force the action
log(…arg)
Forwards logging requests to the configured log handler
Parameters
Arguments to forward to logging handler
modify(sigopt, configopt, confirmopt):boolean
Modify the key configuration with the provided user config.
Note - If modifying any restricted keys make sure to have a backup if you value your data if you're not sure what you are doing.
Parameters
Key signature to modify
User's configuration modifications. See keychain.keyconf for a complete list of config keys.
Read-only Keys - The following keys cannot be modified with this tool:
- format
- history
- recovery
Restricted Keys - The following keys require confirmation to be modified with this tool:
- box
- mode
- salt
Confirmation to override restricted configuration keys
Returns
- Type
- :boolean
Returns true or false
open(sig, userPasswordopt, checkopt):boolean
Attempt to read and parse a keychain entry (or open the only existing key if sig omitted)
Parameters
Key configuration signature
Password for the key configuration
Whether or not to just check if the userPassword is valid
Returns
- Type
- :boolean
Returns true or false
Examples
let keychain = new SeaSalt_Keychain();
keychain.open('DpfXY1eKueSUXt4a', 'mygreatpassword');
let keychain = new SeaSalt_Keychain();
keychain.open('mygreatpassword');
purge(sigopt, allopt, confirm, reverseopt, historyopt):object|undefined
Purge data from the keychain and storage
Parameters
Key configuration signature
Whether or not to purge all data and not just storage data
Whether or not you confirm this command
Whether or not to erase all data that doesn't match key configuration signature
Whether or not to erase all associated history data
Returns
- Type
- :object|undefined
Returns an object listing all deleted key signatures and storage keys
Examples
// delete all storage data for specified key configuration
let keychain = new SeaSalt_Keychain();
keychain.purge('DpfXY1eKueSUXt4a', false, true);
// delete storage and key configuration data
keychain.purge('DpfXY1eKueSUXt4a', true, true);
// delete storage, key configuration, and history data
keychain.purge('DpfXY1eKueSUXt4a', true, true, false, true);
// delete all storage data for keys other than the one specified
keychain.purge('DpfXY1eKueSUXt4a', false, true, true);
// delete all data
keychain.purge(undefined, true, true);
read(key, metaopt):string|undefined
Read and decrypt a string from storage
Parameters
Storage key to read
Include metadata
Returns
- Type
- :string|undefined
Returns the decryption result data
Example
let keychain = new SeaSalt_Keychain('DpfXY1eKueSUXt4a', 'mygreatpassword33');
keychain.read('mystoragekey1');
// using the example from keychain.write the result would be: Hello world
read_meta(key, nameopt):string|boolean
Read the file meta data for a provided storage key.
Parameters
Storage key to read. Can be either a plaintext key name or encrypted storage key name
Meta key to read
Returns
- Type
- :string|boolean
Returns the decrypted meta key data from the storage key or false on error
rekey(confirm):object|undefined
Create a new encryption key and rekeys associated objects in localStorage and recovery codes for currently opened key configuration.
Warning
This action renders all prior recovery and history keys unusable.
If a problem is encountered saving the new storage then their data could be lost.
If you value your data then definitely create a backup prior to executing this command.
Parameters
Whether or not to confirm the action
Returns
- Type
- :object|undefined
Returns an object containing the key signature and new recovery codes
restore(file)
Not yet implemented
Parameters
Restoration file contents
restore_recovery(sig, code, boxes, newPassword):boolean
Installs the provided secret box (or the first valid in an array) to the specified key and resets a new password
Parameters
Key configuration signature
Recovery code to utilize
Box or boxes to try recovering from
New password for the key configuration
Returns
- Type
- :boolean
Returns true or false
Example
let keychain = new SeaSalt_Keychain();
let recoveryboxes = keychain.find_recovery('DpfXY1eKueSUXt4a', '482559516047');
keychain.restore_recovery('DpfXY1eKueSUXt4a', '482559516047', recoveryboxes, 'mysuperdupernewpassword');
save():boolean
Store the keychain to localStorage
Returns
- Type
- :boolean
True or false depending on save status
scan(userPassword, newPasswordopt):Object|boolean
Scans all keys and recovery keys testing if the password can open it.
If a single keychain key is matched it will be opened automatically.
If a single recovery key is matched and newPassword
is provided it will be automatically restored.
Parameters
Password or recovery code to use when scanning.
Password to use when restoring a matched recovery code.
Returns
- Type
- :Object|boolean
Returns false
if no results are found.
Returns the found signature if a single key signature is detected.
Returns the status of keychain.restore_recovery if a single recovery code is matched and newPassword
is provided.
If multiple key signatures are found or if a recovery code matches with no newPassword
then this will return an object of those matches.
store_history(sigopt, skipSaveopt):boolean
Stores the specified key signature or loaded key signature's secret box in the recovery chain.
Parameters
Key configuration signature
Skip automatic save
Returns
- Type
- :boolean
Returns true or false
update(newPasswordopt):boolean
Repackages currently opened secret box optionally with a new password
Parameters
New password for the key configuration
Returns
- Type
- :boolean
Returns true or false
Examples
let keychain = new SeaSalt_Keychain();
keychain.open('DpfXY1eKueSUXt4a', 'mygreatpassword');
keychain.update();
let keychain = new SeaSalt_Keychain();
keychain.open('DpfXY1eKueSUXt4a', 'mygreatpassword');
keychain.update('mysuperbetterpassword1');
write(key, value, metaopt):string|boolean
Encrypts and writes data to storage.
Storage key names are unique to each key configuration. Thus storage key names do not need to be unique between key configurations.
See keychain.key for information regarding the returned key format.
Parameters
Storage key to write
String to be encrypted and stored
File metadata object
Returns
- Type
- :string|boolean
Returns the storage key name or false
Examples
let keychain = new SeaSalt_Keychain('DpfXY1eKueSUXt4a', 'mygreatpassword33');
keychain.write('mystoragekey1', 'Hello world');
// returns a string like: seasalt:keychain:DpfXY1eKueSUXt4a:0:44f3ef019ab2cd691a7d102cf8471d0d43f95d7c5582568885a4975c91a0ecb9...
keychain.write('mystoragekey1', '"{"mykey":true}"', {filetype: 'text/json'});