encryption.js

Go to the documentation of this file.

/**
 * Encryption utility for sensitive data
 * Uses AES-256-GCM for encryption
 */
 
const crypto = require('crypto');
 
const ENCRYPTION_KEY = process.env.ENCRYPTION_KEY || process.env.JWT_SECRET;
const ALGORITHM = 'aes-256-gcm';
 
if (!ENCRYPTION_KEY) {
  throw new Error('ENCRYPTION_KEY or JWT_SECRET environment variable is required');
}
 
// Derive a 32-byte key from the encryption key using scrypt
// This works with keys of any length
const KEY = crypto.scryptSync(ENCRYPTION_KEY, 'salt', 32);
 
/**
 * Encrypt a string value
 * @param {string} text - Plain text to encrypt
 * @returns {string} - Base64-encoded encrypted data with IV and auth tag
 */
function encrypt(text) {
  if (!text) return null;
  
  const iv = crypto.randomBytes(16);
  const cipher = crypto.createCipheriv(ALGORITHM, KEY, iv);
  
  let encrypted = cipher.update(text, 'utf8', 'hex');
  encrypted += cipher.final('hex');
  
  const authTag = cipher.getAuthTag();
  
  // Format: iv:authTag:encryptedData
  return Buffer.from(
    JSON.stringify({
      iv: iv.toString('hex'),
      authTag: authTag.toString('hex'),
      data: encrypted
    })
  ).toString('base64');
}
 
/**
 * Decrypt an encrypted string
 * @param {string} encryptedData - Base64-encoded encrypted data
 * @returns {string} - Decrypted plain text
 */
function decrypt(encryptedData) {
  if (!encryptedData) return null;
  
  try {
    const parsed = JSON.parse(
      Buffer.from(encryptedData, 'base64').toString('utf8')
    );
    
    const iv = Buffer.from(parsed.iv, 'hex');
    const authTag = Buffer.from(parsed.authTag, 'hex');
    
    const decipher = crypto.createDecipheriv(ALGORITHM, KEY, iv);
    decipher.setAuthTag(authTag);
    
    let decrypted = decipher.update(parsed.data, 'hex', 'utf8');
    decrypted += decipher.final('utf8');
    
    return decrypted;
  } catch (error) {
    console.error('Decryption failed:', error.message);
    return null;
  }
}
 
module.exports = {
  encrypt,
  decrypt
};