shield_lock
金大哥
联系我们
返回 Skill 列表
extension
分类: 安全与合规无需 API Key

Encryption

加密文件、保护密码、管理密钥,并审计代码以遵循加密最佳实践。

person作者: ivangdavilahubclawhub
open_in_new仓库download下载资源包

When to Use

  • Encrypting files, database fields, or app storage
  • Password hashing (bcrypt, argon2)
  • Key management, rotation, derivation
  • TLS/certificate configuration
  • Auditing code for crypto mistakes
  • Mobile secure storage (Keychain, Keystore)

Algorithm Selection

| Purpose | Use | Avoid | |---------|-----|-------| | Passwords | argon2id, bcrypt (cost≥12) | MD5, SHA1, plain SHA256 | | Symmetric | AES-256-GCM, ChaCha20-Poly1305 | AES-ECB, DES, RC4 | | Asymmetric | RSA-4096+OAEP, Ed25519, P-256 | RSA-1024, PKCS#1 v1.5 | | Key derivation | PBKDF2 (≥600k), scrypt, argon2 | Single-pass hash | | JWT signing | RS256, ES256 | HS256 with weak secret | | TLS | 1.2+ only | TLS 1.0/1.1, SSLv3 |

Critical Rules

  1. Never reuse IVs/nonces — AES-GCM + repeated nonce = catastrophic
  2. Use authenticated encryption (AEAD) — Plain CBC enables padding oracles
  3. Hash passwords, don't encrypt — Hashing is one-way
  4. No hardcoded keys — Use env vars, KMS, or Vault
  5. No Math.random() for crypto — Use CSPRNG only
  6. Constant-time comparisons — Prevent timing attacks on secrets
  7. Separate keys by purpose — Encryption ≠ signing ≠ backup

File Encryption (CLI)

# age (modern, simple)
age -p -o file.age file.txt
age -d -o file.txt file.age

# GPG
gpg -c --cipher-algo AES256 file.txt

Platform-Specific

See patterns.md for code snippets:

  • Password hashing (Node, Python, Go)
  • Envelope encryption with KMS
  • JWT with RS256 key rotation
  • Secure token generation

See mobile.md for:

  • iOS Keychain wrapper
  • Android EncryptedSharedPreferences
  • SQLCipher setup
  • Biometric auth integration
  • Certificate pinning

See infra.md for:

  • TLS certificate auto-renewal
  • HashiCorp Vault policies
  • mTLS between services
  • Backup encryption verification

Audit Checklist

  • [ ] No plaintext passwords in DB/logs/env
  • [ ] No secrets in git history
  • [ ] No hardcoded keys in source
  • [ ] No Math.random() for security
  • [ ] No deprecated algorithms (MD5, SHA1, DES)
  • [ ] No disabled cert validation
  • [ ] IVs/nonces never reused
  • [ ] PBKDF2 iterations ≥600k / bcrypt cost ≥12
  • [ ] TLS 1.2+ enforced, old protocols disabled
  • [ ] Key rotation procedure documented