This repo contains the library used for cryptography of products used by Devolutions.
It also includes wrappers for it in different languages.
Currently, the supported languages are: Rust, C# and Javascript/Typescript.
Python bindings are also available as a beta, but it is not production ready yet. You can install it with pip3 install devolutions-crypto
, but this might not work depending on the platform. If it doesn't, you can try building it manually.
Note that the Javascript version of the library is compiled using WebAssembly, so it can run in a browser.
As of the current version:
- Symmetric cryptography uses XChaCha20Poly1305
- Asymmetric cryptography uses Curve25519.
- Asymmetric encryption uses ECIES.
- Key exchange uses x25519, or ECDH over Curve25519
- Password Hashing uses PBKDF2-HMAC-SHA2-256
- Secret Sharing uses Shamir Secret sharing over GF256
This project is licensed under either of
at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in devolutions-crypto by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.
Devolutions Crypto Header
Example Header
Position |
Byte value |
1 |
0xD |
2 |
0xC |
3 |
0x1 |
4 |
0x0 |
5 |
0x1 |
6 |
0x0 |
7 |
0x1 |
8 |
0x0 |
This header represents :
A Curve25519 private key from Devolutions Crypto
- Signature Bytes
- The first two bytes specifies that the data is from Devolutions Crypto (DC)
- Data type
- The second two bytes (pos: 3,4 ) represents the data type.
- Data sub type
- The third two bytes (pos: 5, 6) represents the data sub type.
- Version
- The fourth two bytes (pos: 7, 8) represents the version.
Data Types |
Value |
Description |
None |
0x00 |
No data type. Only used as a default value. |
Key |
0x10 |
A wrapped key. |
Ciphertext |
0x20 |
A wrapped ciphertext. Can be either symmetric or asymmetric. |
PasswordHash |
0x30 |
A wrapped password hash. Used to verify a password. |
Share |
0x40 |
A wrapped share. Used for secret sharing scheme. |
SigningKey |
0x50 |
A wrapped key used to sign data. |
Signature |
0x60 |
A wrapped signature. |
Key Sub Types |
Value |
None |
0x00 |
Private |
0x10 |
Public |
0x20 |
Pair |
0x30 |
Ciphertext Sub Types |
Value |
None |
0x00 |
Symmetric |
0x10 |
Asymmetric |
0x20 |
PasswordHash Sub Types |
Value |
None |
0x00 |
Share Sub Types |
Value |
None |
0x00 |
Signature Sub Types |
Value |
None |
0x00 |
Key Version |
Value |
Description |
Latest |
0x00 |
Uses the latest version. |
V1 |
0x10 |
Uses version 1: Curve25519 keys and x25519 key exchange. |
Ciphertext Version |
Value |
Description |
Latest |
0x00 |
Uses the latest version. |
V1 |
0x10 |
Uses version 1: AES256-CBC-HMAC-SHA2-256. |
V2 |
0x20 |
Uses version 2: XChaCha20-Poly1305. |
PasswordHash Version |
Value |
Description |
Latest |
0x00 |
Uses the latest version. |
V1 |
0x10 |
Uses version 1: PBKDF2-HMAC-SHA2-256. |
Secret Sharing Version |
Value |
Description |
Latest |
0x00 |
Uses the latest version. |
V1 |
0x10 |
Uses version 1: Shamir Secret Sharing over GF256. |
Signing Key Version |
Value |
Description |
Latest |
0x00 |
Uses the latest version. |
V1 |
0x10 |
Uses version 1: Ed25519. |
Signature Version |
Value |
Description |
Latest |
0x00 |
Uses the latest version. |
V1 |
0x10 |
Uses version 1: ed25519. |