3.5.0

• closes #190 by adding a hide/show password button

Treated as "minor" version bump. If there is a need to be able to change the color to not clash with custom design colors, let me know and I'll add a way to do so through the command line.

3.4.0

• closes #183: add --share-remember flag to allow for auto-decrypt links the activate the remember-me feature. That way you can share a single auto-decrypt link and decrypt multiple pages on that domain

3.3.0

• added the --decrypt flag: it's now possible to decrypt files encrypted with StatiCrypt straight from the CLI, meaning you can if you want not keep your unencrypted files anywhere
• fixed path bugs: staticrypt test/test.html should output the file in encrypted/test.html, not encrypted/test/test.html

3.2.0

Added support for encrypting multiple files at once 🥳

This allows to remove the awkward find ... -exec staticrypt ... - we can now just do staticrypt foo.html bar.html directory/* to encrypt multiple files or a whole folder. This allows things to be neatly organized: you can now have a decrypted/ folder and an encrypted/ folder, and upload your encrypted/ folder wherever.

By default directories aren't opened recursively, you need to add the -r flag for that.

1.4.3

This new v1 patch:

• displays a warning telling people v1 has reached its end of life
• uses 15k pbkdf2 iterations with SHA-256, making it more secure (unless an old password_template is used, then we keep using 1k to stay backward compatible)

I was going to just mark v1 as deprecated but npm statistics show some users are still on it, that way they can benefit from added security as well.

With this v1 reaches its end of life.

3.1.0

• add --template-color-primary/secondary options to customize the template in #172
• passing the --salt flag without any option now generates a salt and a .staticrypt.json config file. That way people can easily create this config file to commit and run the encryption in a CI step

3.0.1

StatiCrypt 3.x is here!

Some of the changes:

• a lot of cleanup to the code
• the WebCrypto engine, which is more secure than CryptoJS, is now the default and the only available
• the CLI interface is more consistent (options names, passing arguments)
• the files are now put into an encrypted/ folder that's easy to upload, instead of having file_encrypted.html
• the password_template.html file is much simpler to customize, and will allow easier changes to StatiCrypt logic in a non-breaking way

Some of these are breaking changes, that should hopefully be fairly quick to fix. They are detailed in the MIGRATING.md guide.

2.6.0

Closes #156 - we now use URL fragments #staticrypt_pwd= and #staticrypt_logout to auto-decrypt or logout, that way nothing gets send to the server.

2.5.0

Merges #164 and adds the --engine webcrypto option to use the WebCrypto implementation. Adding this doesn't break existing remember-me/auto-decrypt share links and using the flag raises the count of PBKDF2 iterations to 600k, as was the target in #159.

To use it the password_template needs to be updated, so we nudge users towards that engine only if we detect the template supports it.

Supporting backward compatibility and various types of nudges adds significant complexity to the code and number of cases to have in mind when testing, so this is one of the last feature on StatiCrypt 2.x and I'll mostly work on the v3 from now on.

2.4.0

This merges #160 and addresses the topics raised in #159 related to PBKDF2 iterations.

Here's the content of the release:

• raise the PBKDF2 iteration count from 1k to 15k in a backward compatible way (600k will come with WebCrypto). This doesn't break remember-me or auto-decrypt links
• for custom password templates made before 2.2.0 we can't raise the iterations count without breaking, so display a warning pointing to instructions to update (linking to #161)
• warn the user when they use a short password and suggest a better one (warning can be hidden with --short)
• better wording nudging towards a strong password in the docs

Here's what the warning looks like:

WARNING: Your password is less than 16 characters (length: 4). Brute-force attacks are easy to try on public files, and you are most safe when using a long password.

👉️ Here's a strong generated password you could use: fuQKJtRUTm6LBtTPguYHI

The file was encrypted with your password. You can hide this warning by increasing your password length or adding the '--short' flag.

Non-breaking change (?)

I'm hoping it's not really a breaking change, but the output of the CLI changed if you're using a short password to display the warning. This might break functionality if people are parsing the result of --share and expecting they just get the URL. If that's a reported issue, we can hide the warning when this flag is passed.