tessl/npm-tweetnacl
Port of TweetNaCl cryptographic library to JavaScript providing comprehensive cryptographic primitives
—
Pending
secretbox.mddocs/
Secret-Key Authenticated Encryption
Secret-key authenticated encryption using xsalsa20-poly1305. This system provides confidentiality and authenticity using a shared secret key, ideal for scenarios where both parties already share a secret.
Capabilities
Encryption and Decryption
Encrypt and decrypt messages using a shared secret key.
/**
* Encrypts and authenticates a message using a secret key
* @param {Uint8Array} message - The plaintext message to encrypt
* @param {Uint8Array} nonce - Unique nonce for this encryption (24 bytes)
* @param {Uint8Array} key - Secret key shared between parties (32 bytes)
* @returns {Uint8Array} Encrypted and authenticated message (16 bytes longer than original)
*/
nacl.secretbox(message, nonce, key): Uint8Array
/**
* Authenticates and decrypts a secret box using the secret key
* @param {Uint8Array} box - The encrypted message to decrypt
* @param {Uint8Array} nonce - The nonce used for encryption (24 bytes)
* @param {Uint8Array} key - Secret key shared between parties (32 bytes)
* @returns {Uint8Array | null} Decrypted message or null if authentication fails
*/
nacl.secretbox.open(box, nonce, key): Uint8Array | nullUsage Example:
const nacl = require('tweetnacl');
// Generate a random secret key (in practice, derive from password or exchange securely)
const key = nacl.randomBytes(nacl.secretbox.keyLength);
// Encrypt a message
const message = new TextEncoder().encode("Secret message");
const nonce = nacl.randomBytes(nacl.secretbox.nonceLength);
const encrypted = nacl.secretbox(message, nonce, key);
// Decrypt the message
const decrypted = nacl.secretbox.open(encrypted, nonce, key);
if (decrypted) {
console.log(new TextDecoder().decode(decrypted)); // "Secret message"
} else {
console.log("Decryption failed - message was tampered with");
}Multiple Messages Example:
const nacl = require('tweetnacl');
const key = nacl.randomBytes(nacl.secretbox.keyLength);
// Encrypt multiple messages with the same key (but different nonces)
const messages = ["Message 1", "Message 2", "Message 3"];
const encrypted = messages.map(msg => {
const messageBytes = new TextEncoder().encode(msg);
const nonce = nacl.randomBytes(nacl.secretbox.nonceLength);
const box = nacl.secretbox(messageBytes, nonce, key);
return { box, nonce };
});
// Decrypt all messages
const decrypted = encrypted.map(({ box, nonce }) => {
const plaintext = nacl.secretbox.open(box, nonce, key);
return plaintext ? new TextDecoder().decode(plaintext) : null;
});
console.log(decrypted); // ["Message 1", "Message 2", "Message 3"]Constants
nacl.secretbox.keyLength: number // 32 - Length of secret key in bytes
nacl.secretbox.nonceLength: number // 24 - Length of nonce in bytes
nacl.secretbox.overheadLength: number // 16 - Length of overhead added to encrypted messagesSecurity Considerations
- Key Management: The secret key must be shared securely between parties and kept confidential.
- Nonce Uniqueness: Each message encrypted with the same key must use a unique nonce. Reusing nonces with the same key breaks security.
- Nonce Generation: Use
nacl.randomBytes(nacl.secretbox.nonceLength)to generate cryptographically secure random nonces. - Message Integrity: If
nacl.secretbox.openreturnsnull, the message was tampered with or the wrong key/nonce was used. - Overhead: Encrypted messages are 16 bytes longer than the original due to authentication data.
Comparison with Public-Key Encryption
Use secretbox when:
- Both parties already share a secret key
- Performance is critical (secretbox is faster than box operations)
- Communicating with yourself (e.g., encrypting local data)
Use box when:
- Parties don't share a pre-established secret
- You need key exchange capabilities
- You want to avoid the key distribution problem
Install with Tessl CLI
npx tessl i tessl/npm-tweetnacl