Wrapper around utils/ask which reads a private key (as a string) and returns it. Options may be passed as a single map OR as keyword args: prompt (message displayed when asking for first key), confirm-prompt (message displayed when asking for the same key again), not-match-msg (message displayed when keys do not match), empty-msg (message displayed when the entered key is empty), retries (number of retries before quitting the loop; when set to nil or not given, it will continue indefinitely), confirmation? (requires key to be re-entered for confirmation, defaults to true), allow-empty? (allows the entered key to be an empty string; defaults to false), empty-nil? (returns nil instead of an empty string when on empty key; defaults to false), empty-quits? (short-circuits on any empty key and returns nil; defaults to false), empty-quits-nil? (returns nil when quitting on empty key; defaults to true). Returns the entered key or nil.

Wrapper around utils/ask which reads a password and returns it. Options may be passed as a single map OR as keyword args: prompt (message displayed when asking for first password), confirm-prompt (message displayed when asking for the same password again), not-match-msg (message displayed when passwords do not match), empty-msg (message displayed when the entered password is empty), retries (number of retries before quitting the loop; when set to nil or not given, it will continue indefinitely), confirmation? (requires password to be re-entered for confirmation, defaults to true), allow-empty? (allows the entered password to be an empty string; defaults to false), empty-nil? (returns nil instead of an empty string when on empty password; defaults to false), empty-quits? (short-circuits on any empty password and returns nil; defaults to false), empty-quits-nil? (returns nil when quitting on empty password; defaults to true). Returns the entered password or nil.

Takes a map m consisting of :key (encrypted key expressed as a Base64-encoded string) and :salt (expressed as a Base64-encoded string), and a password (expressed as a string), and decrypts the given key. The key and salt can be given as separate first arguments (encrypted and salt) instead of a map. Returns decrypted, string representation of a key. Derived key material is zeroed after use.

Decrypts a given binary key. Takes a 2-element vector containing an IV and an encrypted key (both in a binary form). Takes a password pwd-bin as a second argument and uses it to decrypt the given key. Calls decrypt-key-core internally. Returns a string.

Decrypts a binary cryptogram encrypted using a key k and random IV (iv). Returns a decrypted message as a string. Assumes the following algorithmic cipher-suite: :aes128-cbc-hmac-sha256. Optional algo argument allows for custom suite (will be converted to a keyword if it’s not). In default suite the key needs to have 32 bytes length and the iv 16 bytes length.

Encrypts a private key k using random IV and the given password password. Returns a map of Base64-encoded, url-safe strings: {:salt …, :key …}. Derived key material is zeroed after use.

Decodes Base64-encoded, url-safe key string to bytes. Returns nil on nil input.

Encodes binary key data to Base64-encoded, url-safe string.

Decodes text key to bytes.

Hashes password with SHA-256 (bytes). Returns nil on nil/empty input.

Reads a key from a console with an optional prompt. Returns a string or nil. The default prompt is: "Enter key: ").

Reads password from a console with an optional prompt. Returns a string or nil. The default prompt is: "Enter password: "). The underlying char array is zeroed after conversion to string.

Decodes Base64-encoded, url-safe salt string to bytes. Returns nil on nil input.

Encodes binary salt data to a Base64-encoded, url-safe string.