#encryption

bin+lib cargo-pwhide

pwhide encrypts passwords using the crate name as secret. This is marginal better then plain text. It is a tool for encryption and a lib to do runtime decryption-

1 unstable release

0.3.4 Aug 25, 2023
0.3.3 Aug 25, 2023

#1115 in Cryptography

MIT license

14KB
171 lines

cargo-pwhide

This tooling allows to hide/obfuscate password. It adds no security

Unfortunately not everywhere a secret managment is available. Especially in internal tools. This missing secret managment means that passwords must be handled it a non secure way.

The worst part is to commit passwords in config files in plain text to git. A little less worse is to have them in clear text on server config files.

This tooling tries to make it easy to hide the passwords from somebody, who is just looking at the git content, without spending time to try to decrypt the passwords.

The solution doesn't provide any real security.

The solution contains of two parts:

  • cargo subcommand
  • lib to decrypt

Install the cargo subcommand with

cargo install cargo-pwhide

This allow to encrypt/decrypt password with

cargo pwhide encryt [password] or cargo pwhide decryt [password}

This must be executed in a directory with a valid Cargo.toml file. The secret for encryption and decrpytion is the name of the crate.

Each encrytpion run provides a different output, because a random nounce is selected Encryption is done using Chacha20poly1305 and base62 encoding

The lib provides a function to decrypt

install it by adding to your Cargo.toml

cargo-pwhide = {version="*", feature=["lib"], default-features = false}

This includes only the minimum number of dependencies.

The easiet way to use it is by using the simple macro

use cargo_pwhide::pwdecrypt;
let clear_text=pwdecrypt!(encrypted_password);

The macro

pwdecrypt!(encrypted_password) -> String expands to
pwdecrypt(env!("CARGO_PKG_NAME"),encrypted_password) -> String

Instead of using the macro the decrypt function can be also called directly.

pwdecrypt (secret:Into,enrypted_data:Into) -> String

It should be called with pwdecrypt(env!("CARGO_PKG_NAME"),encrypted_password)

If anybody needs this the following enhancments would be done:

  • remove dependencies for clap etc if just doing decryption
  • allow to specify the secret for encryption
  • allow to use a static nounce for reproducible encryption

Dependencies

~1.5–2MB
~39K SLoC