Deterministic Encryption & Blind Indexes

This release introduces first-class support for deterministic encryption and blind indexes, and hardens token parsing by validating encrypter IDs.

Breaking Changes

The driver contract now requires custom drivers to implement:

• blindIndex(payload, purpose): string
• blindIndexes(payload, purpose): string[]

If you maintain custom drivers, update them to match the new interface before upgrading.

New Features

Deterministic Encryption (AES-SIV)

This release introduces deterministic encryption through a new AES-SIV driver, designed for equality lookups on encrypted values.

import { Encryption } from '@boringnode/encryption'
import { aessiv } from '@boringnode/encryption/drivers/aes_siv'

const encryption = new Encryption(
  aessiv({
    id: 'users_email',
    key: process.env.APP_KEY!,
  })
)

You can then query deterministically encrypted values directly:

SELECT id, email_encrypted
FROM users
WHERE email_encrypted = :encrypted_email;

Blind Indexes

This release also adds blind index APIs across drivers, Encryption, and EncryptionManager, so you can perform equality lookups with dedicated index values, including key-rotation-friendly IN queries.

const indexes = encryption.blindIndexes('foo@example.com', 'users.email')

SELECT id, email_encrypted
FROM users
WHERE email_bidx IN (:idx1, :idx2, :idx3);

Bug Fixes

Encrypter IDs are now validated to prevent parsing ambiguity in ciphertext tokens:

• id must be non-empty
• id cannot contain .

Invalid IDs now fail fast with E_INVALID_ENCRYPTER_ID.

Simplify encrypt() API with options object

New Features

Options object for encrypt method

The encrypt method now accepts an optional object as its second parameter, making it easier to specify only the options you need without passing undefined for unused parameters.

// Before: had to pass undefined to set only purpose
encryption.encrypt(data, undefined, 'password-reset')

// After: use options object
encryption.encrypt(data, { purpose: 'password-reset' })

Available options:

• expiresIn - TTL for the encrypted value (e.g., '1h', '30m', 7200)
• purpose - Purpose-bound encryption identifier

Examples:

// Only purpose
encryption.encrypt(data, { purpose: 'email-verification' })

// Only expiration
encryption.encrypt(data, { expiresIn: '24h' })

// Both options
encryption.encrypt(data, { expiresIn: '1h', purpose: 'password-reset' })

Backward Compatibility

The previous positional arguments syntax remains fully supported:

// Still works
encryption.encrypt(data, '1h', 'purpose')
encryption.encrypt(data, undefined, 'purpose')

Type Export

The new EncryptOptions type is exported for TypeScript users:

import type { EncryptOptions } from '@boringnode/encryption/types'

Build files before releasing and fix EncryptionConfig import in factory

• fix: EncryptionConfig import in factory file (9af4138)
• chore: build before publishing (9df2d00)
• chore(release): 0.2.3 (1dd28e3)
• fix(deps): update all non-major dependencies (#29) (76747c7)
• chore(deps): update dependency @japa/runner to v5 (#30) (4b1c95d)
• Accept keys as a Secret object (#31) (920d38f)

Full Changelog: 0.2.3...v0.2.4

Accept keys as Secret object

What's Changed

• Accept keys as a Secret object by @thetutlage in #31
• chore(deps): update dependency @japa/runner to v5 by @renovate[bot] in #30
• fix(deps): update all non-major dependencies by @renovate[bot] in #29

New Contributors

• @thetutlage made their first contribution in #31

Full Changelog: v0.2.2...0.2.3

Publish proper files

Seems that release-it hasn't build properly latest release

Export encryption class

Commits

• chore: export encryption class (770fe62)

Full Changelog: v0.2.0...v0.2.1

Restructure multi-key support with Encryption wrapper class

Commits

• chore(deps): update all non-major dependencies (#28) (7437620)
• refactor!: restructure multi-key support with Encryption wrapper class (39e8812)
• chore(deps): update all non-major dependencies (#27) (f3fbdfc)
• chore(deps): update all non-major dependencies (#26) (16a2609)

What's Changed

• chore(deps): update all non-major dependencies by @renovate[bot] in #26
• chore(deps): update all non-major dependencies by @renovate[bot] in #27
• chore(deps): update all non-major dependencies by @renovate[bot] in #28

Full Changelog: v0.1.0...v0.2.0

First usable release

What's Changed

• fix(deps): update all non-major dependencies by @renovate[bot] in #13
• chore(deps): update all non-major dependencies by @renovate[bot] in #14
• chore(deps): update all non-major dependencies by @renovate[bot] in #15
• chore(deps): update all non-major dependencies by @renovate[bot] in #16
• fix(deps): update all non-major dependencies by @renovate[bot] in #17
• chore(deps): update all non-major dependencies by @renovate[bot] in #18
• chore(deps): update all non-major dependencies by @renovate[bot] in #19
• chore(deps): update dependency del-cli to v7 by @renovate[bot] in #20
• chore(deps): update all non-major dependencies by @renovate[bot] in #21
• chore(deps): update all non-major dependencies by @renovate[bot] in #22
• chore(deps): update all non-major dependencies by @renovate[bot] in #23
• chore(deps): update dependency eslint to ^9.39.0 by @renovate[bot] in #24
• chore(deps): update all non-major dependencies by @renovate[bot] in #25

Commits

• fix: add factories to tsup entry (2530530)
• feat: add factory for easier testing (ec3ba90)
• chore(deps): update all non-major dependencies (#25) (1513e2a)
• chore: add more export for easy driver creation (182025b)
• chore: update @poppinss/utils (3312e21)
• chore: remove legacy driver (b3e329b)
• chore(deps): update dependency eslint to ^9.39.0 (#24) (e5a0956)
• chore(deps): update all non-major dependencies (#23) (50948a6)
• chore(deps): update all non-major dependencies (#22) (33d0558)
• chore(deps): update all non-major dependencies (#21) (1295323)
• chore: update package exports (21caf60)
• refactor: use internal base64 utils (21e7678)
• style: fix imports (4a1c1d7)
• chore: use @poppinss/ts-exec instead of ts-node (a39de48)
• chore(deps): update dependency del-cli to v7 (#20) (ae93819)
• chore(deps): update all non-major dependencies (#19) (95c1626)
• chore(deps): update all non-major dependencies (#18) (c5f151a)
• fix(deps): update all non-major dependencies (#17) (944c4a7)
• chore(deps): update all non-major dependencies (#16) (e2e4fcb)
• chore(deps): update all non-major dependencies (#15) (34b85d0)
• chore(deps): update all non-major dependencies (#14) (77edc5a)
• refactor(aes_256_cbc): pass the buffer directly (57e7ca5)
• chore: update underlying dependencies (0f1b3c2)
• fix: change imports to use .ts extension (e904a24)
• test(manager): unskip test (ffa1b3c)
• fix(deps): update all non-major dependencies (#13) (a4873de)

Full Changelog: v0.0.2...v0.1.0

Correct Exports

Commits

• fix: correct exports (957cfb8)

Full Changelog: v0.0.1...v0.0.2

Initial release

What's Changed

• chore(deps): update all non-major dependencies by @renovate in #2
• chore(deps): update dependency @japa/runner to v4 by @renovate in #6
• chore(deps): update dependency release-it to v18 by @renovate in #7
• fix(deps): update all non-major dependencies by @renovate in #4
• chore(deps): update dependency @japa/assert to v4 by @renovate in #5
• chore(deps): update all non-major dependencies by @renovate in #8
• chore(deps): update dependency eslint to v9 by @renovate in #3
• chore(deps): update all non-major dependencies by @renovate in #9
• chore(deps): update all non-major dependencies by @renovate in #10
• fix(deps): update all non-major dependencies by @renovate in #11

New Contributors

• @renovate made their first contribution in #2

Full Changelog: https://github.com/boringnode/encryption/commits/v0.0.1