#encryption #security #utility #cli

bin+lib cryptr

simple encrypted (streaming) values

9 releases (4 breaking)

0.5.1 Jul 20, 2024
0.5.0 Jul 20, 2024
0.4.0 Apr 25, 2024
0.3.0 Apr 10, 2024
0.1.1 Dec 18, 2023

#329 in Cryptography

Download history 133/week @ 2024-07-25 85/week @ 2024-08-01 83/week @ 2024-08-08 84/week @ 2024-08-15 85/week @ 2024-08-22 169/week @ 2024-08-29 77/week @ 2024-09-05 89/week @ 2024-09-12 95/week @ 2024-09-19 98/week @ 2024-09-26 88/week @ 2024-10-03 92/week @ 2024-10-10 81/week @ 2024-10-17 69/week @ 2024-10-24 86/week @ 2024-10-31 70/week @ 2024-11-07

323 downloads per month
Used in hiqlite

Apache-2.0

155KB
3.5K SLoC

cryptr - simple encrypted (streaming) values

The idea of cryptr is to provide a simple and robust way of encryption all different kinds of values.

Early Version

cryptr is in a very early phase. I did have the base layer set up properly before releasing the first open source version, but it may be possible, that things change with the first early versions, even though I don't expect any big changes.
I do have a quite a few ideas for future features like being able to spawn a server from the CLI, which then would mean you could host your own small storage anywhere, without the fear of exposing values, because everything would be encrypted locally beforehand.

I do have quite a few test cases set up and everything looks very good and stable so far.
Pre-packaged versions will come in the future.

Why

There are a lot of encryption tools out there already and cryptr's main purpose is not file encryption, even though it handles this perfectly fine and really fast.
The main idea why cryptr was born is that I needed to encrypt small values in different projects, because I just did not want to save them in clear text inside the database or somewhere else. With passwords, you have hashing, but that is not an option when you need to be able to read that value inside the application at some point, like for instance Webauthn user data.

I had two very simple, small functions for exactly that use case which I copy & pasted all over the place. This became really tedious at some point and even more, when I did an improvement on them.
Another problem was, that these did not care about future-proof ways of doing it at all. When I did a change on the functions, I needed to handle the migration of all encrypted values manually each time, which was really annoying.

What it can do

Direct encryption of small values

I created cryptr to handle all of that stuff in a really fast, efficient and robust way. It can handle small values that you want to encrypt for a special database column for instance without much overhead or setup needed. You don't need to track the encryption key that was used with the value, because you should always be able to do key rotations and stuff.
A tiny header with usually below 40 bytes (depending on if you choose a custom, long key id) will be added to the value, which then contains all the necessary information. In all my projects, I had this information in different columns and needed to handle all of this manually each time. This is not the case no more.

Streaming

What cryptr can do as well is streaming encryption on-the-fly with very minimal memory usage. I use it for instance to do a streaming replication of database backups to an external storage. It can basically handle files of any size, read them piece by piece, do an on-the-fly streaming encryption using ChaCha20Poly1305 and then stream the chunks to the external S3 object storage directly.
Performance does not suffer from this at all. The load and tasks are spread over multiple cores internally and 4 small buffers are used in between the tasks. In my first tests, the memory overhead was very minimal, and I was able to stream files of any size with just a few MB of memory during the whole operation.

Since the encryption happens locally, you can use it easily in environments, where you may not trust the storage admin or whoever has access to it.

Tamper Resistant

cryptr uses AEAD streaming encryption algorithms (only ChaCha20Poly1305 at the moment). This means, that the whole encrypted payload and each streamed chunk have appended MACs. This means, that even if someone would tamper with your data, the worst thing that can happen, is that the encryption does not work or actually complain, that the payload is corrupted. The data is not only encrypted, but validated at the same time, that it is still the original value.

CLI and library

cryptr comes as a CLI tool, or it can be used in any project as a normal crate.
The CLI can handle most cases already and even provides a nice UX with importing and setting values via CLI instead of manually updating the config file. You can do in-memory as well as streaming operations via CLI, even to S3 storage already.

Install CLI

You can install the CLI via cargo for now:

cargo install cryptr --features cli

Examples

You can find usage examples for both the library and the CLI in the examples folder.

Dependencies

~12–29MB
~391K SLoC