pocketenv/crypto

Client-side encryption helpers.

Sensitive values (secrets, SSH private keys, Tailscale auth keys) are sealed with the server’s X25519 public key using NaCl crypto_box_seal before transmission. The server holds the corresponding private key and is the only party that can decrypt the values.

Values

redact

</>

pub fn redact(value: String) -> String

Returns a redacted representation of value suitable for display. Preserves the first 11 and last 3 characters; replaces the middle with *.

seal

</>

pub fn seal(message: String) -> String

Encrypts message using NaCl sealed-box with the hardcoded server public key. Returns a URL-safe base64 string with no padding.