DEV Community

Discussion on: Q Vault: An open source secret manager

Collapse
 
tarialfaro profile image
Tari R. Alfaro • Edited

I'd avoid it. It seems really low level from reading some of your source code. Check out a Libsodium port for Node.js.

Using low-level cryptography libraries make it easy to screw up.

Thread Thread
 
wagslane profile image
Lane Wagner

Hmm? It's just hashing and ciphering. Adding an extra dependency in the middle for no reason is scarier to me.

Thread Thread
 
tarialfaro profile image
Tari R. Alfaro

Libsodium is a cryptography library that's easy to use. You should be using that instead of what you're doing.

Thread Thread
 
wagslane profile image
Lane Wagner

I disagree. I understand what I'm doing, I'm well enough versed in cryptography to prefer the actual crypto library than training wheels.

Thread Thread
 
tarialfaro profile image
Tari R. Alfaro

Libsodium isn't "training wheels". It's a production ready solution that most people should be using.

Thread Thread
 
wagslane profile image
Lane Wagner

I'm sure we COULD use it. But really its a preference thing. I want to use the SCRYPT hashing alorithm. And I want AES-256 GCM. Why not just use them directly from a trusted source?

Thread Thread
 
tarialfaro profile image
Tari R. Alfaro

Okay. It makes sense. Why do you want AES-256 in GCM mode? And why Scrypt?

Thread Thread
 
wagslane profile image
Lane Wagner

From a high level GCM is considered more secure than CBC. Especially at lower resolutions. Good link: crypto.stackexchange.com/questions...

I like scrypt for our use case because we are simply trying to make it hard to brute force access. Scrypt requires high powered computation AND memory in order to continue guessing keys.