Skip to content

Commit

Permalink
updare readme
Browse files Browse the repository at this point in the history
  • Loading branch information
@robinmoisson
robinmoisson committed Feb 9, 2022
1 parent 223c27c commit 9d16c18
Show file tree
Hide file tree
Showing 3 changed files with 87 additions and 36 deletions.
55 changes: 39 additions & 16 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,46 +8,69 @@ You can encrypt a file online at https://robinmoisson.github.io/staticrypt.

## HOW IT WORKS

**Disclaimer** if you have extra sensitive banking data you should probably use something else!

StatiCrypt generates a static, password protected page that can be decrypted in-browser: just send or upload the generated page to a place serving static content (github pages, for example) and you're done: the javascript will prompt users for password, decrypt the page and load your HTML.

It basically encrypts your page and puts everything with a user-friendly way to use a password in the new file.

AES-256 is state of the art but brute-force/dictionary attacks would be trivial to do at a really fast pace: **use a long, unusual passphrase**.

The concept is simple but I am not a cryptographer, feel free to contribute or report any thought to the GitHub project! (Though be warned it might take me a long time to get to it - I apologize in advance)
**Disclaimer:** The concept is simple and should work ok but I am not a cryptographer, if you have sensitive banking or crypto data you might want to use something else. :)

Similar project: [MaxLaumeister/clientside-html-password](https://github.com/MaxLaumeister/clientside-html-password)
You can report thoughts and issues to the [GitHub project](https://robinmoisson.github.io/staticrypt) but be warned I might be extremely slow to respond (though the community might help). If a serious security issue is reported I'll try to fix it quickly.

## CLI

Staticrypt is available through npm as a CLI, install with `npm install -g staticrypt` and use as follow:
Staticrypt is available through npm as a CLI, install with `npm install -g staticrypt` (with or without the `-g` flag) and use as follow:

Usage: staticrypt <filename> <passphrase> [options]

Options:
--help Show help [boolean]
--version Show version number [boolean]
-e, --embed Whether or not to embed crypto-js in the page (or use an
external CDN) [boolean] [default: true]
-o, --output File name / path for generated encrypted file
--help Show help [boolean]
--version Show version number [boolean]
-e, --embed Whether or not to embed crypto-js in the page (or use
an external CDN)
[boolean] [default: true]
-o, --output File name / path for generated encrypted file
[string] [default: null]
-t, --title Title for output HTML page
-t, --title Title for output HTML page
[string] [default: "Protected Page"]
-i, --instructions Special instructions to display to the user.
-i, --instructions Special instructions to display to the user.
[string] [default: null]
-f, --file-template Path to custom HTML template with password prompt.
-f, --file-template Path to custom HTML template with password prompt.
[string] [default: "[...]/cli/password_template.html"]

-r, --remember Show a "Remember me" checkbox that will save the
password in clear text in localStorage when
entered by the user.
You can set the expiration in days as value (no
value means "0", no expiration). [number]
--remember-label Label to use for the "Remember me" checkbox.
Default: "Remember me".
[string] [default: "Remember me"]
--passphrase-placeholder Placeholder to use for the passphrase input.
Default: "Passphrase".
[string] [default: "Passphrase"]
--decrypt-button Label to use for the decrypt button. Default:
"DECRYPT". [string] [default: "DECRYPT"]

Example usages:

- `staticrypt test.html mysecretpassword` -> creates a `test_encrypted.html` file
- `staticrypt test.html mySecretPassphrase` -> creates a `test_encrypted.html` file
- `find . -type f -name "*.html" -exec staticrypt {} mypassword \;` -> create encrypted files for all HTML files in your directory

You can use a custom template for the password prompt - just copy `cli/password_template.html` and modify it to suit your presentation style and point to your template file with the `-f` flag. Be careful to not break the encrypting javascript part, the variables replaced by staticrypt are between curly brackets: `{instructions}`.

**ADBLOCKERS**: If you do not embed crypto-js and serve it from a CDN, some adblockers see the `crypto-js.min.js`, think that's a crypto miner and block it.

Thanks [Aaron Coplan](https://github.com/AaronCoplan) for bringing the CLI to life!
## Contribution

Thank you: [@AaronCoplan](https://github.com/AaronCoplan) for bringing the CLI to life, [@epicfaace](https://github.com/epicfaace) & [@thomasmarr](https://github.com/thomasmarr) for sparking the caching of the passphrase in localStorage (allowing the "Remember me" checkbox)

**Opening PRs:** You're free to open PRs if you're ok with having no response for a (very) long time and me ending up getting inspiration from your proposal but merging something different myself instead of your PR because of limited available time and lighter mental load (I'll try to credit you though). I still appreciate them but I'd rather be upfront about it, rather than waiting for a perfect occasion to manifest and never actually updating anything. Apologies in advance, and thank you!

If you find a serious security bug please open an issue, I'll try to fix it relatively quickly.

## Alternativs

https://github.com/MaxLaumeister/PageCrypt is a similar project (I think it predates staticrypt).

https://github.com/tarpdalton/staticrypt/tree/webcrypto is a fork that uses the WebCrypto browser api to encrypt and decrypt the page, which removes the need for `crypto-js`. There's a PR open which I haven't checked in detail yet. WebCrypto is only available in HTTPS context (which [is annoying people](https://github.com/w3c/webcrypto/issues/28)) so it won't work if you're on HTTP.
66 changes: 47 additions & 19 deletions cli/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,48 +1,76 @@
# StatiCrypt

Based on the [crypto-js](https://github.com/brix/crypto-js) library, StatiCrypt uses AES-256 to encrypt your input with your passphrase and put it in a HTML file with a password prompt that can decrypted in-browser (client side).
Based on the [crypto-js](https://github.com/brix/crypto-js) library, StatiCrypt uses AES-256 to encrypt your string with your passphrase in your browser (client side).

You can then upload your static html file anywhere and it'll be password protected (see [how it looks](https://robinmoisson.github.io/staticrypt/example.html)).
Download your encrypted string in a HTML page with a password prompt you can upload anywhere (see [example](https://robinmoisson.github.io/staticrypt/example.html)).

Obviously, pick a lengthy passphrase !
You can encrypt a file online at https://robinmoisson.github.io/staticrypt.

## HOW IT WORKS

StatiCrypt generates a static, password protected page that can be decrypted in-browser: just send or upload the generated page to a place serving static content (github pages, for example) and you're done: the javascript will prompt users for password, decrypt the page and load your HTML.

It basically encrypts your page and puts everything with a user-friendly way to use a password in the new file.

AES-256 is state of the art but brute-force/dictionary attacks would be trivial to do at a really fast pace: **use a long, unusual passphrase!**
AES-256 is state of the art but brute-force/dictionary attacks would be trivial to do at a really fast pace: **use a long, unusual passphrase**.

The concept is simple and should work ok but I am not a cryptographer, if you have extra sensitive banking data you might want to use something else :)
**Disclaimer:** The concept is simple and should work ok but I am not a cryptographer, if you have sensitive banking or crypto data you might want to use something else. :)

Feel free to contribute or report any thought to the [GitHub project](https://robinmoisson.github.io/staticrypt) !
You can report thoughts and issues to the [GitHub project](https://robinmoisson.github.io/staticrypt) but be warned I might be extremely slow to respond (though the community might help). If a serious security issue is reported I'll try to fix it quickly.

## USAGE
## CLI

Staticrypt is available through npm as a CLI, install with `npm install -g staticrypt` and use as follow:
Staticrypt is available through npm as a CLI, install with `npm install -g staticrypt` (with or without the `-g` flag) and use as follow:

Usage: staticrypt <filename> <passphrase> [options]

Options:
--help Show help [boolean]
--version Show version number [boolean]
-e, --embed Whether or not to embed crypto-js in the page (or use an
external CDN) [boolean] [default: true]
-o, --output File name / path for generated encrypted file
--help Show help [boolean]
--version Show version number [boolean]
-e, --embed Whether or not to embed crypto-js in the page (or use
an external CDN)
[boolean] [default: true]
-o, --output File name / path for generated encrypted file
[string] [default: null]
-t, --title Title for output HTML page
-t, --title Title for output HTML page
[string] [default: "Protected Page"]
-i, --instructions Special instructions to display to the user.
-i, --instructions Special instructions to display to the user.
[string] [default: null]
-f, --file-template Path to custom HTML template with password prompt.
-f, --file-template Path to custom HTML template with password prompt.
[string] [default: "[...]/cli/password_template.html"]
-r, --remember Show a "Remember me" checkbox that will save the
password in clear text in localStorage when
entered by the user.
You can set the expiration in days as value (no
value means "0", no expiration). [number]
--remember-label Label to use for the "Remember me" checkbox.
Default: "Remember me".
[string] [default: "Remember me"]
--passphrase-placeholder Placeholder to use for the passphrase input.
Default: "Passphrase".
[string] [default: "Passphrase"]
--decrypt-button Label to use for the decrypt button. Default:
"DECRYPT". [string] [default: "DECRYPT"]

Example usages:

- `staticrypt test.html mypassword` -> creates a `test_encrypted.html` file
- `find . -type f -name "*.html" -exec staticrypt {} mypassword \;` -> create encrypted files for all HTML files in your directory (recursively)
- `staticrypt test.html mySecretPassphrase` -> creates a `test_encrypted.html` file
- `find . -type f -name "*.html" -exec staticrypt {} mypassword \;` -> create encrypted files for all HTML files in your directory

You can use a custom template for the password prompt - just copy `cli/password_template.html` and modify it to suit your presentation style and point to your template file with the `-f` flag. Be careful to not break the encrypting javascript part, the variables replaced by staticrypt are between curly brackets: `{instructions}`.

**ADBLOCKERS**: If you do not embed crypto-js and serve it from a CDN, some adblockers see the `crypto-js.min.js`, think that's a crypto miner and block it.
**ADBLOCKERS**: If you do not embed crypto-js and serve it from a CDN, some adblockers see the `crypto-js.min.js`, think that's a crypto miner and block it.

## Contribution

Thank you: [@AaronCoplan](https://github.com/AaronCoplan) for bringing the CLI to life, [@epicfaace](https://github.com/epicfaace) & [@thomasmarr](https://github.com/thomasmarr) for sparking the caching of the passphrase in localStorage (allowing the "Remember me" checkbox)

**Opening PRs:** You're free to open PRs if you're ok with having no response for a (very) long time and me ending up getting inspiration from your proposal but merging something different myself instead of your PR because of limited available time and lighter mental load (I'll try to credit you though). I still appreciate them but I'd rather be upfront about it, rather than waiting for a perfect occasion to manifest and never actually updating anything. Apologies in advance, and thank you!

If you find a serious security bug please open an issue, I'll try to fix it relatively quickly.

## Alternativs

https://github.com/MaxLaumeister/PageCrypt is a similar project (I think it predates staticrypt).

https://github.com/tarpdalton/staticrypt/tree/webcrypto is a fork that uses the WebCrypto browser api to encrypt and decrypt the page, which removes the need for `crypto-js`. There's a PR open which I haven't checked in detail yet. WebCrypto is only available in HTTPS context (which [is annoying people](https://github.com/w3c/webcrypto/issues/28)) so it won't work if you're on HTTP.
2 changes: 1 addition & 1 deletion cli/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ if (namedArgs.embed) {
}

/**
* Check if a particular option has been set by the user. User case:
* Check if a particular option has been set by the user. Use case:
*
* // The "--remember" flag has a specific behavior: if the flag is included without value (like '-r'), the key is set with
* // the value 'undefined'. If it is included with a value, ('-r 100'), the key is set with that value. Both means
Expand Down

0 comments on commit 9d16c18

Please sign in to comment.