tiny-encrypt-rs
Important
To use tiny-encrypt, a Yubikey(https://www.yubico.com/products/) or MacBook with Secure Enclave get the best security effect, the key MUST support PIV or OpenPGP.
Tiny Encrypt written in Rust Programming Language
Specification: Tiny Encrypt Spec V1.1
Tiny encrypt rs is a Rust implementation of Tiny encrypt java https://git.hatter.ink/hatter/tiny-encrypt-java
Tiny encrypt spec see: https://github.com/OpenWebStandard/tiny-encrypt-format-spec
Repository address: https://git.hatter.ink/hatter/tiny-encrypt-rs mirror https://github.com/jht5945/tiny-encrypt-rs
Set default encryption algorithm:
export TINY_ENCRYPT_DEFAULT_ALGORITHM='AES' # or CHACHA20
Compile only encrypt:
cargo build --release --no-default-features
Install from git:
cargo install --git https://git.hatter.ink/hatter/tiny-encrypt-rs.git --features full-features
Edit encrypted file:
tiny-encrypt decrypt --edit-file sample.txt.tinyenc
Read environment EDITOR or SECURE_EDITOR to edit file, SECURE_EDITOR write encrypted file to temp file.
Secure editor command format:
$SECURE_EDITOR <temp-file-name> "aes-256-gcm" <temp-key-hex> <temp-nonce-hex>
Encrypt config ~/.tinyencrypt/config-rs.json:
{
"environment": {
"TINY_ENCRYPT_DEFAULT_ALGORITHM": "AES or CHACHA20"
},
"namespaces": {
"name": "/Users/example/.name"
},
"envelops": [
{
"type": "pgp-rsa",
"kid": "KID-1",
"desc": "this is key 001",
"publicPart": "----- BEGIN PUBLIC KEY ..."
},
{
"type": "piv-p256",
"kid": "KID-2",
"desc": "this is key 002",
"publicPart": "04..."
}
],
"profiles": {
"default": [
"KID-1",
"KID-2"
],
"l2,leve2": [
"KID-2"
]
}
}
Kyber1024 usage:
Generate static-kyber1024 keypair:
$ tiny-encrypt -K -a kyber1024 -n keyname
[OK ] Keychain name: keyname
[OK ] Public key : a731b5032194c3d2ad01f36d64e859ca9738595c21aa19c852dac22f4...
[INFO ] Config envelop:
{
"type": "static-kyber1024",
"sid": "keyname",
"kid": "keychain:a731b5032194c3d2ad01f36d64e859ca9738595c21aa19c852dac22f411036c7",
"desc": "Keychain static",
"args": [
"keychain::tiny-encrypt:keyname"
],
"publicPart": "a731b5032194c3d2ad01f36d64e859ca9738595c21aa19c852dac22f411036c..."
}
Generate Secure Enclave keypair:
te -K -S --key-name "tes1" -E --secure-enclave-control-flag none
[INFO ] Config envelop:
{
"type": "key-p256",
"sid": "tes1",
"kid": "keychain:02c82ef4534ac0c4e27074ca75f4c5d926622fcee9f9cfccc0e85be0d5c5dc4864",
"desc": "Keychain Secure Enclave",
"args": [
"BIIBQDGCATwwgf****************************************************************AQEB"
],
"publicPart": "04c82ef4534ac0c4e27074ca75f4c5d926622fcee9f9cfccc0e85be0d5c5dc48647264ba0b272e811b3b07ca13177c89a20e71605fbf3bc2742a5cc8558e880c45",
"profiles": null
}
Ext keys generate via card-cli, e.g.
card-cli keypair-generate --type p256 --with-hmac-encrypt --json | jq .
{
"key_uri": "key://yubikey5-16138686:soft/p256::hmac_enc:5G6duDQLbZzKvAbcaEleMA:E7MFSz36l_1fBRSzxSwysQ:7calffpbc8MsIQHFY0IBYVDZI6vIicNiKExXaHKZ5fLnKCUDx9gUlQyGaSZr8Lo4X2g97yfulQjhihTk+Rxd9ZKyM1yYVv8MEylNrYutBv97x9C8Oawg6D1PjavQYa124SXQLW7oUbGf6at5bMx1EPb0RK9SL+aDg/yg76oxHW6qdyOxTuTBosEY0FGSf51FCAt2MncKf2n67hw129fD0/zZ83d+VSWOB/NPs4m0Hc3SWecXSxweN1yqXmdGlhTVdSyxghdqqys=",
"private_key_base64": "hmac_enc:5G6duDQLbZzKvAbcaEleMA:E7MFSz36l_1fBRSzxSwysQ:7calffpbc8MsIQHFY0IBYVDZI6vIicNiKExXaHKZ5fLnKCUDx9gUlQyGaSZr8Lo4X2g97yfulQjhihTk+Rxd9ZKyM1yYVv8MEylNrYutBv97x9C8Oawg6D1PjavQYa124SXQLW7oUbGf6at5bMx1EPb0RK9SL+aDg/yg76oxHW6qdyOxTuTBosEY0FGSf51FCAt2MncKf2n67hw129fD0/zZ83d+VSWOB/NPs4m0Hc3SWecXSxweN1yqXmdGlhTVdSyxghdqqys=",
"private_key_pem": "hmac_enc:RztW8_ox3nOeFkYrLNkNEA:hF9e_JAEZodkbkaIFjeA9w:PfeyYzBhzViaC/jgh5Yr9oq8WxBw8UJfzzTpmWntT30mcgwxiWtI7Q857yMCnllqrzVxi+/Nt1tgsUeiRXG/5OrbaCJuyZLv/TgSulfoSchHhEv0t0mblsFRFCCcu+6XWPmcg3IOCpZ5VlafT6Z2FSpXXxi5DBCXPEKWN+2CyG0Tl2fDxQj5yI9MGQtmLFbLuGnAVAhrwph4gajWVp6q5zU4vxd4btZFCbfQpLJU9vIp/w1HJQOW6cuLxREsidXwMxmqekHCKxwti5yif97UyH+5AAfI5fWbpp9TazPhtbFIX75f+xAONCo+wJWzTBKtyugmkjQyYTwPZnid1JrUKv4=",
"public_key_base64": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEasRLmoKUG/TKTHb8qLR+uN3KRn3IPIzXGUcBVMArgjA6Bm3CdeRgslv3kzSv0TezwOA8Rmx3yyJWhjzFfTwzig==",
"public_key_jwk": "{\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"asRLmoKUG_TKTHb8qLR-uN3KRn3IPIzXGUcBVMArgjA\",\"y\":\"OgZtwnXkYLJb95M0r9E3s8DgPEZsd8siVoY8xX08M4o\"}",
"public_key_pem": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEasRLmoKUG/TKTHb8qLR+uN3KRn3I\nPIzXGUcBVMArgjA6Bm3CdeRgslv3kzSv0TezwOA8Rmx3yyJWhjzFfTwzig==\n-----END PUBLIC KEY-----\n"
}
Then write file ~/.tinyencrypt/config-rs.json.
Last, config key id to profile.
Supported PKI encryption types:
| Type | Algorithm | Description |
|---|---|---|
| pgp-rsa | PKCS1-v1.5 | OpenPGP Encryption Key (Previous pgp) |
| pgp-x25519 | ECDH(X25519) | OpenPGP Encryption Key |
| gpg | OpenPGP | GnuPG Command |
| static-x25519 | ECDH(X25519) | Key Stored in macOS Keychain Access |
| static-kyber1024 | Kyber1024 | Key Stored in macOS Keychain Access |
| piv-rsa | PKCS1-v1.5 | PIV Slot |
| piv-p256 | ECDH(secp256r1) | PIV Slot (Previous ecdh) |
| piv-p384 | ECDH(secp384r1) | PIV Slot (Previous ecdh-p384) |
| key-p256 | ECDH(secp256r1) | Key Stored in macOS Secure Enclave (using P256) |
| key-mlkem768 | ML-KEM(ML-KEM-768) | Key Stored in macOS Secure Enclave (using ML-KEM-768) |
| key-mlkem1024 | ML-KEM(ML-KEM-1024) | Key Stored in macOS Secure Enclave (using ML-KEM-1024) |
| ext-p256 | ECDH(secp256r1) | Key Protected by External Command |
| ext-p384 | ECDH(secp384r1) | Key Protected by External Command |
| ext-mlkem768 | ML-KEM(ML-KEM-768) | Key Protected by External Command |
| ext-mlkem1024 | ML-KEM(ML-KEM-1024) | Key Protected by External Command |
| ext-x25519 | ECDH(X25519) | Key Protected by External Command |
Smart Card(Yubikey) protected ECDH Encryption description as below:
┌───────────────────┐ ┌───────────────────────────┐
│Tiny Encrypt │ │Smart Card (e.g. Yubikey) │
│ │ Get Public Key(P) │ │
│ │ ◄───────────────────┤ Private Key(d) │
│ │ │ P = dG │
│ │ Temp Private Key(k) │ │
└───────────────────┘ Q = kG └───────────────────────────┘
Shared Secret = kP = kdG
Store Q, Encrypt using derived key from Shared Secret
Send Q to Smart Card
───────────────────►
Shared Secret = dQ = kdG
Decrypt using derived key from restored Shared Secret
Environment
| KEY | Comment |
|---|---|
| TINY_ENCRYPT_CONFIG_FILE | Config file |
| TINY_ENCRYPT_DEFAULT_ALGORITHM | Encryption algorithm, aes or chacha20 |
| TINY_ENCRYPT_DEFAULT_COMPRESS | File compress, 1 or on, default false |
| TINY_ENCRYPT_NO_PROGRESS | Do not display progress bar |
| TINY_ENCRYPT_NO_DEFAULT_PIN_HINT | Do not display default PIN hint |
| TINY_ENCRYPT_USE_DIALOGUER | Use dialoguer |
| TINY_ENCRYPT_PIN | PIV Card PIN |
| TINY_ENCRYPT_KEY_ID | Default Key ID |
| TINY_ENCRYPT_AUTO_SELECT_KEY_IDS | Auto select Key IDs |
| TINY_ENCRYPT_AUTO_COMPRESS_EXTS | Auto compress file exts |
| TINY_ENCRYPT_PIN_ENTRY | PIN entry command cli |
| TINY_ENCRYPT_EXTERNAL_COMMAND | External command cli |
| SECURE_EDITOR | Secure Editor [OWS RFC6] |
| EDITOR | Editor (Plaintext) |
Alternative environment setup:
~/.config/envs/ENV_VARIABLE_NAME <--> File Content
