@zod-vault/crypto
Low-level crypto functions. Most users won’t need these directly.
generateRecoveryKey
Section titled “generateRecoveryKey”Generate a cryptographically secure recovery key.
import { generateRecoveryKey } from "@zod-vault/crypto";
const key = generateRecoveryKey();// => "ABCD-EFGH-IJKL-MNOP-QRST-UVWX-YZ23-4567-ABCD-EFGH-IJKL-MNOP-Q"Returns a 256-bit key encoded as a human-readable string.
validateRecoveryKey
Section titled “validateRecoveryKey”Check if a recovery key is valid.
import { validateRecoveryKey } from "@zod-vault/crypto";
validateRecoveryKey("ABCD-EFGH-..."); // truevalidateRecoveryKey("invalid"); // falseencrypt
Section titled “encrypt”Encrypt data with a recovery key.
import { encrypt } from "@zod-vault/crypto";
const { ciphertext, salt } = await encrypt( "secret data", recoveryKey);Parameters:
data: string— Plaintext to encryptrecoveryKey: string— Recovery key
Returns:
ciphertext: string— Encrypted data (base64)salt: string— Random salt (base64)
decrypt
Section titled “decrypt”Decrypt data with a recovery key.
import { decrypt } from "@zod-vault/crypto";
const plaintext = await decrypt( ciphertext, salt, recoveryKey);Parameters:
ciphertext: string— Encrypted datasalt: string— Salt from encryptionrecoveryKey: string— Recovery key
Returns: string — Decrypted plaintext
Throws: Error if decryption fails (wrong key or corrupted data)
deriveKey
Section titled “deriveKey”Derive an AES key from a recovery key (internal use).
import { deriveKey } from "@zod-vault/crypto";
const aesKey = await deriveKey(recoveryKey, salt);// => CryptoKey (AES-256-GCM)Uses Argon2id with OWASP-recommended parameters.