A memory-hardened key container built with Rust & WASM for tamper-resistant crypto in Node.js.
Military-Grade Protection
XOR masking, memory segmentation and automatic zeroization
Developer Friendly
WebAssembly speed, TypeScript API and seamless Crypto module integration
Cryptographic Integrity
HMAC tamper detection, runtime verification, timing attack resistance
npm i @enteocode/secure-keyimport { SecureKey } from '@enteocode/secure-key';
import { readFileSync } from 'node:fs';
import { createCipheriv } from 'node:crypto';
// Securely store API keys, tokens, or certificates
const secret = SecureKey.from(Buffer.from('sk_live_...'));
// Directly use with Node.js Crypto
// Unwrap gives direct memory reference.
//
// Never clone it!
const cipher = createCipheriv('aes-256-gcm', secret.unwrap(), iv);
// Time Safe Comparison
if (secret.equals(readFileSync('backup.key'))) {
console.log('MATCH');
}Note: All outputs will always return
Uint8Array, even if the input was aBuffer.
Use JSON.stringify to obtain a non-sensitive fingerprint:
{
"type": "SecureKey",
"hash": "532eaabd9574880dbf76b9b8cc00832c20a6ec113d682299550d7a6e0f345e25"
}- The
hashis a cryptographic SHA-256 digest - You can use it to compare keys without ever revealing the underlying secret
| Technique | Implementation Details | Protection Against |
|---|---|---|
| Random Splitting | Data divided at unpredictable offsets | Memory scanning |
| XOR Obfuscation | Masked with CSPRNG-generated vectors | Memory dump analysis |
| WASM Sandboxing | Isolated memory space | Process inspection |
- Rust 1.87 (
rustup install stable) - Node.js 20+
- wasm-pack (
cargo install wasm-pack)
Rust must be installed and run globally (once):
# Add WASM build target
rustup target add wasm32-unknown-unknown
# Install optimizer
cargo install wasm-packOnce this is done, run the following to generate WASM and its additional JS/TS wrappers:
npm run build:wasmThis will generate its output to wasm/, needed for further TypeScript development.
Tests must run against the distributed (tree-shaken) package. The raw WASM output includes broad compatibility code that breaks outside bundlers. Tree-shaking is essential to eliminate these conflicts before testing.
npm run build
npm test- Always combine with transport security (HTTPS/TLS)
- Never log unwrapped key material
- Environment variables should only contain fingerprints
Tested on AWS t4g.micro (Node.js 20)
| Operation | Time (ms) | Memory Overhead |
|---|---|---|
| Key Creation | 0.12 | 2.1x original |
| HMAC Verification | 0.08 | <1% |
| Unwrapping | 0.05 | 0% |
MIT © 2025, Ádám Székely