1.1.1 • Published 5 months ago

@enteocode/secure-key v1.1.1

Weekly downloads
-
License
MIT
Repository
github
Last release
5 months ago

Secure In-Memory Key

Build Status License WASM Security Badge

A memory-hardened key container built with Rust & WASM for tamper-resistant crypto in Node.js.

Features

Military-Grade Protection
XOR masking, memory segmentation and automatic zeroization

Developer Friendly
WebAssembly speed, TypeScript API and seamless Crypto module integration

Cryptographic Integrity
HMAC tamper detection, runtime verification, timing attack resistance

Installation

npm i @enteocode/secure-key

Usage

import { SecureKey } from '@enteocode/secure-key';
import { readFileSync } from 'node:fs';
import { createCipheriv } from 'node:crypto';

// Securely store API keys, tokens, or certificates

const secret = SecureKey.from(Buffer.from('sk_live_...'));

// Directly use with Node.js Crypto
// Unwrap gives direct memory reference.
// 
// Never clone it!

const cipher = createCipheriv('aes-256-gcm', secret.unwrap(), iv);

// Time Safe Comparison

if (secret.equals(readFileSync('backup.key'))) {
    console.log('MATCH');
}

Note: All outputs will always return Uint8Array, even if the input was a Buffer.

Security

Safe JSON Representation

Use JSON.stringify to obtain a non-sensitive fingerprint:

{
    "type": "SecureKey",
    "hash": "532eaabd9574880dbf76b9b8cc00832c20a6ec113d682299550d7a6e0f345e25"
}
  • The hash is a cryptographic SHA-256 digest
  • You can use it to compare keys without ever revealing the underlying secret

Architecture

TechniqueImplementation DetailsProtection Against
Random SplittingData divided at unpredictable offsetsMemory scanning
XOR ObfuscationMasked with CSPRNG-generated vectorsMemory dump analysis
WASM SandboxingIsolated memory spaceProcess inspection

Development

Prerequisites

  • Rust 1.87 (rustup install stable)
  • Node.js 20+
  • wasm-pack (cargo install wasm-pack)

WASM

Rust must be installed and run globally (once):

# Add WASM build target
rustup target add wasm32-unknown-unknown

# Install optimizer
cargo install wasm-pack

Once this is done, run the following to generate WASM and its additional JS/TS wrappers:

npm run build:wasm

This will generate its output to wasm/, needed for further TypeScript development.

TypeScript Wrapper

Tests must run against the distributed (tree-shaken) package. The raw WASM output includes broad compatibility code that breaks outside bundlers. Tree-shaking is essential to eliminate these conflicts before testing.

npm run build
npm test

Considerations

  • Always combine with transport security (HTTPS/TLS)
  • Never log unwrapped key material
  • Environment variables should only contain fingerprints

Benchmarks

Tested on AWS t4g.micro (Node.js 20)

OperationTime (ms)Memory Overhead
Key Creation0.122.1x original
HMAC Verification0.08<1%
Unwrapping0.050%

Compliance

License

MIT © 2025, Ádám Székely

memory securitysecure key storagecryptocryptographyhmacnodewasmwebassemblyzeroizetypescripttamper detectionxor maskingsecret managementsecure memorysecure bufferin-memory encryptionkey protection
1.1.1

5 months ago

1.1.0

5 months ago

1.0.0

5 months ago