@zanii/kms
v0.1.0
Published
Stop storing agent private keys in plaintext. Seal a key or identity under a passphrase with scrypt + AES-256-GCM, unseal only to sign. Zero dependencies.
Downloads
120
Readme
@zanii/kms
Stop storing agent private keys in plaintext identity.json files. Seal a key —
or a whole identity — under a passphrase with scrypt + AES-256-GCM, and
unseal it only when you need to sign. Zero dependencies (node:crypto).
npm install @zanii/kmsUsage
import { sealIdentity, openIdentity } from '@zanii/kms';
import { ZaniiAgent } from '@zanii/sdk';
// once, at provisioning:
const sealed = sealIdentity({ did, privateKey }, process.env.KEY_PASSPHRASE!);
fs.writeFileSync('identity.sealed.json', JSON.stringify(sealed)); // safe at rest
// at runtime:
const { did: agentDid, privateKey } = openIdentity(sealed, process.env.KEY_PASSPHRASE!);
const agent = new ZaniiAgent({ agentDid, agentPrivateKey: privateKey, /* … */ });open() throws if the passphrase is wrong or the blob was tampered with —
GCM authenticates the ciphertext, so a modified sealed key never silently
decrypts to garbage.
Also exported: raw seal(bytes, passphrase) / open(sealed, passphrase).
Remote signing (AWS KMS / HSM / Vault) is out of scope — Ed25519 signing needs the key in memory, so at-rest sealing is where the protection lives.
Changelog
- 0.1.0 — initial release:
seal,open,sealIdentity,openIdentity.
License
Apache-2.0.
