@lazybird-inc/nest-crypto
v1.1.0
Published
Client-side zero-knowledge encryption engine for Nest by LazyBird. Publicly auditable.
Downloads
334
Maintainers
Readme
@lazybird-inc/nest-crypto
The client-side zero-knowledge encryption engine powering Nest by LazyBird.
This library is open-source and publicly auditable so that users and security researchers can independently verify that no backdoors exist in the encryption pipeline. The exact version of this package used in the production Nest application is verifiable directly in the browser via Subresource Integrity (SRI).
Cryptographic Design
| Operation | Algorithm |
|---|---|
| Key Derivation | Argon2id (primary) / PBKDF2 (fallback) |
| Key Wrapping | XChaCha20-Poly1305 (libsodium) |
| File Encryption | XChaCha20-Poly1305 secretstream (libsodium) |
| Auth Hash | BLAKE2b (libsodium) |
| Random Generation | libsodium randombytes_buf (CSPRNG) |
Zero-Knowledge Key Hierarchy
Password
│
▼ Argon2id(password, salt)
Root Key ──────────────────────────────────────────────────────────────
│ │
▼ BLAKE2b(RootKey, 'auth_') BLAKE2b(RootKey, 'wrap_')
Auth Hash ──→ sent to server for login Wrapping Key (stays on device)
│
▼ XChaCha20-Poly1305
Master Key ←─ stored encrypted on server
│
┌─────┴─────┐
▼ ▼
Folder Key Folder Key ← stored encrypted per-folder
│
▼ XChaCha20-Poly1305
File Key ← stored encrypted per-file
│
▼ XChaCha20-Poly1305 secretstream
Encrypted File ← stored on Obsideo networkThe password never leaves your device. The server only ever sees the AuthHash — a one-way BLAKE2b derivative that cannot be reversed to recover the Root Key or password.
Installation
npm install @lazybird-inc/nest-cryptoUsage
import {
init,
deriveRootKey,
deriveAuthHash,
generateSalt,
generateMasterKey,
encryptMasterKey,
decryptMasterKey,
generateFileKey,
encryptFile,
decryptFile,
} from '@lazybird-inc/nest-crypto';
// Must be called once before any other function
await init();
// Key derivation
const salt = generateSalt();
const rootKey = await deriveRootKey(password, salt, { algorithm: 'argon2id' });
const authHash = deriveAuthHash(rootKey); // send this to the server for loginSecurity Audits
We welcome independent security audits of this library. If you are a security researcher and would like access to audit the closed-source Nest frontend wrapper in addition to this public package, please apply at [email protected].
Published audit reports are available at nest.lazybird.io/security.
To report a vulnerability, please see SECURITY.md.
License
MIT © LazyBird Inc.
