Encrypting data is security-sensitive. It has led in the past to the following vulnerabilities:

Proper encryption requires both the encryption algorithm and the key to be strong. Obviously the private key needs to remain secret and be renewed regularly. However these are not the only means to defeat or weaken an encryption.

This rule flags function calls that initiate encryption/decryption. The goal is to guide security code reviews.

Ask Yourself Whether

You are at risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Questionable Code Example

// === Client side ===
crypto.subtle.encrypt(algo, key, plainData); // Questionable
crypto.subtle.decrypt(algo, key, encData); // Questionable
// === Server side ===
const crypto = require("crypto");
const cipher = crypto.createCipher(algo, key); // Questionable
const cipheriv = crypto.createCipheriv(algo, key, iv); // Questionable
const decipher = crypto.createDecipher(algo, key); // Questionable
const decipheriv = crypto.createDecipheriv(algo, key, iv); // Questionable
const pubEnc = crypto.publicEncrypt(key, buf); // Questionable
const privDec = crypto.privateDecrypt({ key: key, passphrase: secret }, pubEnc); // Questionable
const privEnc = crypto.privateEncrypt({ key: key, passphrase: secret }, buf); // Questionable
const pubDec = crypto.publicDecrypt(key, privEnc); // Questionable

See