Web Crypto API

Node.js provides an implementation of the Web Crypto API standard.

Use globalThis.crypto or require('node:crypto').webcrypto to access this module.

const { subtle } = globalThis.crypto;

(async function() {

  const key = await subtle.generateKey({
    name: 'HMAC',
    hash: 'SHA-256',
    length: 256,
  }, true, ['sign', 'verify']);

  const enc = new TextEncoder();
  const message = enc.encode('I love cupcakes');

  const digest = await subtle.sign({
    name: 'HMAC',
  }, key, message);

})();

Node.js provides an implementation of the following features from the Modern Algorithms in the Web Cryptography API WICG proposal:

Algorithms:

• 'AES-OCB'¹
• 'Argon2d'²
• 'Argon2i'²
• 'Argon2id'²
• 'ChaCha20-Poly1305'
• 'cSHAKE128'
• 'cSHAKE256'
• 'ML-DSA-44'³
• 'ML-DSA-65'³
• 'ML-DSA-87'³
• 'ML-KEM-512'³
• 'ML-KEM-768'³
• 'ML-KEM-1024'³
• 'SHA3-256'
• 'SHA3-384'
• 'SHA3-512'

Key Formats:

• 'raw-public'
• 'raw-secret'
• 'raw-seed'

Methods:

• subtle.decapsulateBits()
• subtle.decapsulateKey()
• subtle.encapsulateBits()
• subtle.encapsulateKey()
• subtle.getPublicKey()
• SubtleCrypto.supports()

Node.js provides an implementation of the following features from the Secure Curves in the Web Cryptography API WICG proposal:

Algorithms:

• 'Ed448'
• 'X448'

The <SubtleCrypto> class can be used to generate symmetric (secret) keys or asymmetric key pairs (public key and private key).

const { subtle } = globalThis.crypto;

async function generateAesKey(length = 256) {
  const key = await subtle.generateKey({
    name: 'AES-CBC',
    length,
  }, true, ['encrypt', 'decrypt']);

  return key;
}

const { subtle } = globalThis.crypto;

async function generateEcKey(namedCurve = 'P-521') {
  const {
    publicKey,
    privateKey,
  } = await subtle.generateKey({
    name: 'ECDSA',
    namedCurve,
  }, true, ['sign', 'verify']);

  return { publicKey, privateKey };
}

const { subtle } = globalThis.crypto;

async function generateEd25519Key() {
  return subtle.generateKey({
    name: 'Ed25519',
  }, true, ['sign', 'verify']);
}

async function generateX25519Key() {
  return subtle.generateKey({
    name: 'X25519',
  }, true, ['deriveKey']);
}

const { subtle } = globalThis.crypto;

async function generateHmacKey(hash = 'SHA-256') {
  const key = await subtle.generateKey({
    name: 'HMAC',
    hash,
  }, true, ['sign', 'verify']);

  return key;
}

const { subtle } = globalThis.crypto;
const publicExponent = new Uint8Array([1, 0, 1]);

async function generateRsaKey(modulusLength = 2048, hash = 'SHA-256') {
  const {
    publicKey,
    privateKey,
  } = await subtle.generateKey({
    name: 'RSASSA-PKCS1-v1_5',
    modulusLength,
    publicExponent,
    hash,
  }, true, ['sign', 'verify']);

  return { publicKey, privateKey };
}

const crypto = globalThis.crypto;

async function aesEncrypt(plaintext) {
  const ec = new TextEncoder();
  const key = await generateAesKey();
  const iv = crypto.getRandomValues(new Uint8Array(16));

  const ciphertext = await crypto.subtle.encrypt({
    name: 'AES-CBC',
    iv,
  }, key, ec.encode(plaintext));

  return {
    key,
    iv,
    ciphertext,
  };
}

async function aesDecrypt(ciphertext, key, iv) {
  const dec = new TextDecoder();
  const plaintext = await crypto.subtle.decrypt({
    name: 'AES-CBC',
    iv,
  }, key, ciphertext);

  return dec.decode(plaintext);
}

const { subtle } = globalThis.crypto;

async function generateAndExportHmacKey(format = 'jwk', hash = 'SHA-512') {
  const key = await subtle.generateKey({
    name: 'HMAC',
    hash,
  }, true, ['sign', 'verify']);

  return subtle.exportKey(format, key);
}

async function importHmacKey(keyData, format = 'jwk', hash = 'SHA-512') {
  const key = await subtle.importKey(format, keyData, {
    name: 'HMAC',
    hash,
  }, true, ['sign', 'verify']);

  return key;
}

const { subtle } = globalThis.crypto;

async function generateAndWrapHmacKey(format = 'jwk', hash = 'SHA-512') {
  const [
    key,
    wrappingKey,
  ] = await Promise.all([
    subtle.generateKey({
      name: 'HMAC', hash,
    }, true, ['sign', 'verify']),
    subtle.generateKey({
      name: 'AES-KW',
      length: 256,
    }, true, ['wrapKey', 'unwrapKey']),
  ]);

  const wrappedKey = await subtle.wrapKey(format, key, wrappingKey, 'AES-KW');

  return { wrappedKey, wrappingKey };
}

async function unwrapHmacKey(
  wrappedKey,
  wrappingKey,
  format = 'jwk',
  hash = 'SHA-512') {

  const key = await subtle.unwrapKey(
    format,
    wrappedKey,
    wrappingKey,
    'AES-KW',
    { name: 'HMAC', hash },
    true,
    ['sign', 'verify']);

  return key;
}

const { subtle } = globalThis.crypto;

async function sign(key, data) {
  const ec = new TextEncoder();
  const signature =
    await subtle.sign('RSASSA-PKCS1-v1_5', key, ec.encode(data));
  return signature;
}

async function verify(key, signature, data) {
  const ec = new TextEncoder();
  const verified =
    await subtle.verify(
      'RSASSA-PKCS1-v1_5',
      key,
      signature,
      ec.encode(data));
  return verified;
}

const { subtle } = globalThis.crypto;

async function pbkdf2(pass, salt, iterations = 1000, length = 256) {
  const ec = new TextEncoder();
  const key = await subtle.importKey(
    'raw',
    ec.encode(pass),
    'PBKDF2',
    false,
    ['deriveBits']);
  const bits = await subtle.deriveBits({
    name: 'PBKDF2',
    hash: 'SHA-512',
    salt: ec.encode(salt),
    iterations,
  }, key, length);
  return bits;
}

async function pbkdf2Key(pass, salt, iterations = 1000, length = 256) {
  const ec = new TextEncoder();
  const keyMaterial = await subtle.importKey(
    'raw',
    ec.encode(pass),
    'PBKDF2',
    false,
    ['deriveKey']);
  const key = await subtle.deriveKey({
    name: 'PBKDF2',
    hash: 'SHA-512',
    salt: ec.encode(salt),
    iterations,
  }, keyMaterial, {
    name: 'AES-GCM',
    length,
  }, true, ['encrypt', 'decrypt']);
  return key;
}

const { subtle } = globalThis.crypto;

async function digest(data, algorithm = 'SHA-512') {
  const ec = new TextEncoder();
  const digest = await subtle.digest(algorithm, ec.encode(data));
  return digest;
}

SubtleCrypto.supports() allows feature detection in Web Crypto API, which can be used to detect whether a given algorithm identifier (including its parameters) is supported for the given operation.

This example derives a key from a password using Argon2, if available, or PBKDF2, otherwise; and then encrypts and decrypts some text with it using AES-OCB, if available, and AES-GCM, otherwise.

const { SubtleCrypto, crypto } = globalThis;

const password = 'correct horse battery staple';
const derivationAlg =
  SubtleCrypto.supports?.('importKey', 'Argon2id') ?
    'Argon2id' :
    'PBKDF2';
const encryptionAlg =
  SubtleCrypto.supports?.('importKey', 'AES-OCB') ?
    'AES-OCB' :
    'AES-GCM';
const passwordKey = await crypto.subtle.importKey(
  derivationAlg === 'Argon2id' ? 'raw-secret' : 'raw',
  new TextEncoder().encode(password),
  derivationAlg,
  false,
  ['deriveKey'],
);
const nonce = crypto.getRandomValues(new Uint8Array(16));
const derivationParams =
  derivationAlg === 'Argon2id' ?
    {
      nonce,
      parallelism: 4,
      memory: 2 ** 21,
      passes: 1,
    } :
    {
      salt: nonce,
      iterations: 100_000,
      hash: 'SHA-256',
    };
const key = await crypto.subtle.deriveKey(
  {
    name: derivationAlg,
    ...derivationParams,
  },
  passwordKey,
  {
    name: encryptionAlg,
    length: 256,
  },
  false,
  ['encrypt', 'decrypt'],
);
const plaintext = 'Hello, world!';
const iv = crypto.getRandomValues(new Uint8Array(16));
const encrypted = await crypto.subtle.encrypt(
  { name: encryptionAlg, iv },
  key,
  new TextEncoder().encode(plaintext),
);
const decrypted = new TextDecoder().decode(await crypto.subtle.decrypt(
  { name: encryptionAlg, iv },
  key,
  encrypted,
));

The tables details the algorithms supported by the Node.js Web Crypto API implementation and the APIs supported for each:

Column Legend:

• Encryption: subtle.encrypt() / subtle.decrypt()
• Signatures and MAC: subtle.sign() / subtle.verify()
• Key or Bits Derivation: subtle.deriveBits() / subtle.deriveKey()
• Key Wrapping: subtle.wrapKey() / subtle.unwrapKey()
• Key Encapsulation: subtle.encapsulateBits() / subtle.decapsulateBits() / subtle.encapsulateKey() / subtle.decapsulateKey()
• Digest: subtle.digest()

globalThis.crypto is an instance of the Crypto class. Crypto is a singleton that provides access to the remainder of the crypto API.

Provides access to the SubtleCrypto API.

crypto.getRandomValues(typedArray): Buffer|TypedArray

Generates cryptographically strong random values. The given typedArray is filled with random values, and a reference to typedArray is returned.

The given typedArray must be an integer-based instance of <TypedArray>, i.e. Float32Array and Float64Array are not accepted.

An error will be thrown if the given typedArray is larger than 65,536 bytes.

crypto.randomUUID(): string

Generates a random RFC 4122 version 4 UUID. The UUID is generated using a cryptographic pseudorandom number generator.

An object detailing the algorithm for which the key can be used along with additional algorithm-specific parameters.

Read-only.

When true, the <CryptoKey> can be extracted using either subtle.exportKey() or subtle.wrapKey().

Read-only.

A string identifying whether the key is a symmetric ('secret') or asymmetric ('private' or 'public') key.

An array of strings identifying the operations for which the key may be used.

The possible usages are:

• 'encrypt' - Enable using the key with subtle.encrypt()
• 'decrypt' - Enable using the key with subtle.decrypt()
• 'sign' - Enable using the key with subtle.sign()
• 'verify' - Enable using the key with subtle.verify()
• 'deriveKey' - Enable using the key with subtle.deriveKey()
• 'deriveBits' - Enable using the key with subtle.deriveBits()
• 'encapsulateBits' - Enable using the key with subtle.encapsulateBits()
• 'decapsulateBits' - Enable using the key with subtle.decapsulateBits()
• 'encapsulateKey' - Enable using the key with subtle.encapsulateKey()
• 'decapsulateKey' - Enable using the key with subtle.decapsulateKey()
• 'wrapKey' - Enable using the key with subtle.wrapKey()
• 'unwrapKey' - Enable using the key with subtle.unwrapKey()

Valid key usages depend on the key algorithm (identified by cryptokey.algorithm.name).

Column Legend:

• Encryption: subtle.encrypt() / subtle.decrypt()
• Signatures and MAC: subtle.sign() / subtle.verify()
• Key or Bits Derivation: subtle.deriveBits() / subtle.deriveKey()
• Key Wrapping: subtle.wrapKey() / subtle.unwrapKey()
• Key Encapsulation: subtle.encapsulateBits() / subtle.decapsulateBits() / subtle.encapsulateKey() / subtle.decapsulateKey()

The CryptoKeyPair is a simple dictionary object with publicKey and privateKey properties, representing an asymmetric key pair.

SubtleCrypto.supports(operation, algorithm, lengthOrAdditionalAlgorithm?): boolean

Allows feature detection in Web Crypto API, which can be used to detect whether a given algorithm identifier (including its parameters) is supported for the given operation.

subtle.decapsulateBits(decapsulationAlgorithm, decapsulationKey, ciphertext): Promise

The algorithms currently supported include:

• 'ML-KEM-512'⁴
• 'ML-KEM-768'⁴
• 'ML-KEM-1024'⁴

subtle.decapsulateKey(decapsulationAlgorithm, decapsulationKey, ciphertext, sharedKeyAlgorithm, extractable, usages): Promise

The algorithms currently supported include:

• 'ML-KEM-512'⁴
• 'ML-KEM-768'⁴
• 'ML-KEM-1024'⁴

subtle.decrypt(algorithm, key, data): Promise

Using the method and parameters specified in algorithm and the keying material provided by key, this method attempts to decipher the provided data. If successful, the returned promise will be resolved with an <ArrayBuffer> containing the plaintext result.

The algorithms currently supported include:

• 'AES-CBC'
• 'AES-CTR'
• 'AES-GCM'
• 'AES-OCB'⁴
• 'ChaCha20-Poly1305'⁴
• 'RSA-OAEP'

subtle.deriveBits(algorithm, baseKey, length?): Promise

Using the method and parameters specified in algorithm and the keying material provided by baseKey, this method attempts to generate length bits.

When length is not provided or null the maximum number of bits for a given algorithm is generated. This is allowed for the 'ECDH', 'X25519', and 'X448'⁵ algorithms, for other algorithms length is required to be a number.

If successful, the returned promise will be resolved with an <ArrayBuffer> containing the generated data.

The algorithms currently supported include:

• 'Argon2d'⁴
• 'Argon2i'⁴
• 'Argon2id'⁴
• 'ECDH'
• 'HKDF'
• 'PBKDF2'
• 'X25519'
• 'X448'⁵

subtle.deriveKey(algorithm, baseKey, derivedKeyAlgorithm, extractable, keyUsages): Promise

Using the method and parameters specified in algorithm, and the keying material provided by baseKey, this method attempts to generate a new <CryptoKey> based on the method and parameters in derivedKeyAlgorithm.

Calling this method is equivalent to calling subtle.deriveBits() to generate raw keying material, then passing the result into the subtle.importKey() method using the deriveKeyAlgorithm, extractable, and keyUsages parameters as input.

The algorithms currently supported include:

• 'Argon2d'⁴
• 'Argon2i'⁴
• 'Argon2id'⁴
• 'ECDH'
• 'HKDF'
• 'PBKDF2'
• 'X25519'
• 'X448'⁵

subtle.digest(algorithm, data): Promise

Using the method identified by algorithm, this method attempts to generate a digest of data. If successful, the returned promise is resolved with an <ArrayBuffer> containing the computed digest.

If algorithm is provided as a <string>, it must be one of:

• 'cSHAKE128'⁴
• 'cSHAKE256'⁴
• 'SHA-1'
• 'SHA-256'
• 'SHA-384'
• 'SHA-512'
• 'SHA3-256'⁴
• 'SHA3-384'⁴
• 'SHA3-512'⁴

If algorithm is provided as an <Object>, it must have a name property whose value is one of the above.

subtle.encapsulateBits(encapsulationAlgorithm, encapsulationKey): Promise

The algorithms currently supported include:

• 'ML-KEM-512'⁴
• 'ML-KEM-768'⁴
• 'ML-KEM-1024'⁴

subtle.encapsulateKey(encapsulationAlgorithm, encapsulationKey, sharedKeyAlgorithm, extractable, usages): Promise

The algorithms currently supported include:

• 'ML-KEM-512'⁴
• 'ML-KEM-768'⁴
• 'ML-KEM-1024'⁴

subtle.encrypt(algorithm, key, data): Promise

Using the method and parameters specified by algorithm and the keying material provided by key, this method attempts to encipher data. If successful, the returned promise is resolved with an <ArrayBuffer> containing the encrypted result.

The algorithms currently supported include:

• 'AES-CBC'
• 'AES-CTR'
• 'AES-GCM'
• 'AES-OCB'⁴
• 'ChaCha20-Poly1305'⁴
• 'RSA-OAEP'

subtle.exportKey(format, key): Promise

Exports the given key into the specified format, if supported.

If the <CryptoKey> is not extractable, the returned promise will reject.

When format is either 'pkcs8' or 'spki' and the export is successful, the returned promise will be resolved with an <ArrayBuffer> containing the exported key data.

When format is 'jwk' and the export is successful, the returned promise will be resolved with a JavaScript object conforming to the JSON Web Key specification.

subtle.getPublicKey(key, keyUsages): Promise

Derives the public key from a given private key.

subtle.generateKey(algorithm, extractable, keyUsages)

Using the method and parameters provided in algorithm, subtle.generateKey() attempts to generate new keying material. Depending the method used, the method may generate either a single <CryptoKey> or a <CryptoKeyPair>.

The <CryptoKeyPair> (public and private key) generating algorithms supported include:

• 'ECDH'
• 'ECDSA'
• 'Ed25519'
• 'Ed448'⁵
• 'ML-DSA-44'⁴
• 'ML-DSA-65'⁴
• 'ML-DSA-87'⁴
• 'ML-KEM-512'⁴
• 'ML-KEM-768'⁴
• 'ML-KEM-1024'⁴
• 'RSA-OAEP'
• 'RSA-PSS'
• 'RSASSA-PKCS1-v1_5'
• 'X25519'
• 'X448'⁵

The <CryptoKey> (secret key) generating algorithms supported include:

• 'AES-CBC'
• 'AES-CTR'
• 'AES-GCM'
• 'AES-KW'
• 'AES-OCB'⁴
• 'ChaCha20-Poly1305'⁴
• 'HMAC'

subtle.importKey(format, keyData, algorithm, extractable, keyUsages)

The subtle.importKey() method attempts to interpret the provided keyData as the given format to create a <CryptoKey> instance using the provided algorithm, extractable, and keyUsages arguments. If the import is successful, the returned promise will be resolved with the created <CryptoKey>.

If importing KDF algorithm keys, extractable must be false.

The algorithms currently supported include:

subtle.sign(algorithm, key, data): Promise

Using the method and parameters given by algorithm and the keying material provided by key, this method attempts to generate a cryptographic signature of data. If successful, the returned promise is resolved with an <ArrayBuffer> containing the generated signature.

The algorithms currently supported include:

• 'ECDSA'
• 'Ed25519'
• 'Ed448'⁵
• 'HMAC'
• 'ML-DSA-44'⁴
• 'ML-DSA-65'⁴
• 'ML-DSA-87'⁴
• 'RSA-PSS'
• 'RSASSA-PKCS1-v1_5'

subtle.unwrapKey(format, wrappedKey, unwrappingKey, unwrapAlgo, unwrappedKeyAlgo, extractable, keyUsages)

In cryptography, "wrapping a key" refers to exporting and then encrypting the keying material. This method attempts to decrypt a wrapped key and create a <CryptoKey> instance. It is equivalent to calling subtle.decrypt() first on the encrypted key data (using the wrappedKey, unwrapAlgo, and unwrappingKey arguments as input) then passing the results to the subtle.importKey() method using the unwrappedKeyAlgo, extractable, and keyUsages arguments as inputs. If successful, the returned promise is resolved with a <CryptoKey> object.

The wrapping algorithms currently supported include:

• 'AES-CBC'
• 'AES-CTR'
• 'AES-GCM'
• 'AES-KW'
• 'AES-OCB'⁴
• 'ChaCha20-Poly1305'⁴
• 'RSA-OAEP'

The unwrapped key algorithms supported include:

• 'AES-CBC'
• 'AES-CTR'
• 'AES-GCM'
• 'AES-KW'
• 'AES-OCB'⁴
• 'ChaCha20-Poly1305'⁴
• 'ECDH'
• 'ECDSA'
• 'Ed25519'
• 'Ed448'⁵
• 'HMAC'
• 'ML-DSA-44'⁴
• 'ML-DSA-65'⁴
• 'ML-DSA-87'⁴
• 'ML-KEM-512'⁴
• 'ML-KEM-768'⁴
• 'ML-KEM-1024'⁴v
• 'RSA-OAEP'
• 'RSA-PSS'
• 'RSASSA-PKCS1-v1_5'
• 'X25519'
• 'X448'⁵

subtle.verify(algorithm, key, signature, data): Promise

Using the method and parameters given in algorithm and the keying material provided by key, this method attempts to verify that signature is a valid cryptographic signature of data. The returned promise is resolved with either true or false.

The algorithms currently supported include:

• 'ECDSA'
• 'Ed25519'
• 'Ed448'⁵
• 'HMAC'
• 'ML-DSA-44'⁴
• 'ML-DSA-65'⁴
• 'ML-DSA-87'⁴
• 'RSA-PSS'
• 'RSASSA-PKCS1-v1_5'

subtle.wrapKey(format, key, wrappingKey, wrapAlgo): Promise

In cryptography, "wrapping a key" refers to exporting and then encrypting the keying material. This method exports the keying material into the format identified by format, then encrypts it using the method and parameters specified by wrapAlgo and the keying material provided by wrappingKey. It is the equivalent to calling subtle.exportKey() using format and key as the arguments, then passing the result to the subtle.encrypt() method using wrappingKey and wrapAlgo as inputs. If successful, the returned promise will be resolved with an <ArrayBuffer> containing the encrypted key data.

The wrapping algorithms currently supported include:

• 'AES-CBC'
• 'AES-CTR'
• 'AES-GCM'
• 'AES-KW'
• 'AES-OCB'⁴
• 'ChaCha20-Poly1305'⁴
• 'RSA-OAEP'

The algorithm parameter objects define the methods and parameters used by the various <SubtleCrypto> methods. While described here as "classes", they are simple JavaScript dictionary objects.

Extra input that is not encrypted but is included in the authentication of the data. The use of additionalData is optional.

The initialization vector must be unique for every encryption operation using a given key.

The length of the AES key to be derived. This must be either 128, 192, or 256.

Provides the initialization vector. It must be exactly 16-bytes in length and should be unpredictable and cryptographically random.

The initial value of the counter block. This must be exactly 16 bytes long.

The AES-CTR method uses the rightmost length bits of the block as the counter and the remaining bits as the nonce.

The length of the AES key in bits.

The length of the AES key to be generated. This must be either 128, 192, or 256.

Represents the optional associated data.

Represents the memory size in kibibytes. It must be at least 8 times the degree of parallelism.

Represents the nonce, which is a salt for password hashing applications.

Represents the degree of parallelism.

Represents the number of passes.

Represents the optional secret value.

Represents the Argon2 version number. The default and currently only defined version is 19 (0x13).

The context member represents the optional context data to associate with the message. The Node.js Web Crypto API implementation only supports zero-length context which is equivalent to not providing context at all.

The customization member represents the customization string. The Node.js Web Crypto API implementation only supports zero-length customization which is equivalent to not providing customization at all.

The functionName member represents represents the function name, used by NIST to define functions based on cSHAKE. The Node.js Web Crypto API implementation only supports zero-length functionName which is equivalent to not providing functionName at all.

ECDH key derivation operates by taking as input one parties private key and another parties public key -- using both to generate a common shared secret. The ecdhKeyDeriveParams.public property is set to the other parties public key.

If represented as a <string>, the value must be one of:

• 'SHA-1'
• 'SHA-256'
• 'SHA-384'
• 'SHA-512'
• 'SHA3-256'⁴
• 'SHA3-384'⁴
• 'SHA3-512'⁴

If represented as an <Algorithm>, the object's name property must be one of the above listed values.