gilles/system_update
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: chiffrement AES-256-GCM des secrets + lecture env

Browse Source 
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
gilles soulier
2026-06-04 20:58:04 +02:00
parent a3f728b5ba
commit feb136ffc1
3 changed files with 64 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/crypto/secrets.ts
+23
View File
@@ -0,0 +1,23 @@
// server/crypto/secrets.ts
import { createCipheriv, createDecipheriv, randomBytes } from "node:crypto";
const ALGO = "aes-256-gcm";
/** Chiffre une chaîne. Format de sortie: base64(iv).base64(tag).base64(ciphertext). */
export function encryptSecret(plaintext: string, keyHex: string): string {
const key = Buffer.from(keyHex, "hex");
const iv = randomBytes(12);
const cipher = createCipheriv(ALGO, key, iv);
const ct = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
const tag = cipher.getAuthTag();
return [iv.toString("base64"), tag.toString("base64"), ct.toString("base64")].join(".");
}
export function decryptSecret(blob: string, keyHex: string): string {
const key = Buffer.from(keyHex, "hex");
const [ivB64, tagB64, ctB64] = blob.split(".");
if (!ivB64 || !tagB64 || !ctB64) throw new Error("Blob chiffré invalide");
const decipher = createDecipheriv(ALGO, key, Buffer.from(ivB64, "base64"));
decipher.setAuthTag(Buffer.from(tagB64, "base64"));
return Buffer.concat([decipher.update(Buffer.from(ctB64, "base64")), decipher.final()]).toString("utf8");
}