Optional
workerReadonly
[initProtected
Optional
_dbProtected
Optional
_keyProtected
Optional
_recoveryReadonly
dbProtected
fsReadonly
keysProtected
loggerProtected
Optional
passwordProtected
Optional
passwordProtected
Optional
passwordReadonly
privateReadonly
publicProtected
rotateReadonly
strictProtected
Optional
workerEncrypt to a public key.
The authenticated
option is used to determine whether to use
the static root key pair. By default it will use generate an ephemeral key pair.
Neither ensures forward secrecy. However ephemeral key pair provides one-way
forward secrecy.
If it is important that the receiver can authenticate the sender, consider doing
sign-then-encrypt
, by adding a signature into the plain text being sent.
Protected
existsProtected
existsProtected
existsProtected
existsProtected
generateProtected
generateGenerates the root key pair. If recovery code is passed in, it is used as a deterministic seed.
Optional
recoveryCode: RecoveryCodeProtected
readReads the DB key from the filesystem. The DB key is expected to be stored in flattened JWE format. The DB key is expected to be encrypted with our ECIES.
Protected
readReads the key pair from the filesystem. This only needs to read the private key as the public key is derived. The private key is expected to be stored in a flattened JWE format.
Protected
readReads the private key from the filesystem. The private key is expected to be stored in a flattened JWE format.
Protected
readProtected
recoverRotates the key pair. This generates a new recovery code and new key pair. The DB key is not rotated, it is just re-encrypted with the new key pair. The key pair is wrapped with the new password.
Optional
rotateHook: ((keyPairNew, keyPairOld, recoveryCodeNew, recoveryCodeOld?) => any)Optional
recoveryCodeOld: RecoveryCodeProtected
setupSetup the DB key. This is the data encryption key for the rest of PK. This is what makes PK a hybrid cryptosystem.
Protected
setupSets up the root key pair. If the root key pair already exists:
Protected
setupThis sets up a password hash in-memory.
This is used to check if the password is correct.
The returned buffers are guaranteed to unpooled and memory-locked.
This means the underlying ArrayBuffer
is safely transferrable.
Protected
writeProtected
writeWrites the root key pair to the filesystem.
The public key will be stored in JWK format.
The private key will be stored in flattened JWE format.
This first writes the public key and private key to .tmp
files.
Then proceeds to atomically rename the files together.
The files should be updated together to ensure consistency.
Static
createOptional
fresh?: booleanOptional
fs?: FileSystemOptional
logger?: LoggerOptional
options?: Partial<KeyRingOptions>Optional
workerGenerated using TypeDoc
Changes the root key pair password. This will re-wrap the private key. The password is the new password. This does not require the old password because if the
KeyRing
is ready, that means the agent is unlocked at least from the perspective of theKeyRing
. If an external client intends to change the password, they must be authenticated first.