W3cubDocs

/Node.js

Web Crypto API

History
Version Changes
v24.8.0

KMAC algorithms are now supported.
v24.8.0

Argon2 algorithms are now supported.
v24.7.0

AES-OCB algorithm is now supported.
v24.7.0

ML-KEM algorithms are now supported.
v24.7.0

ChaCha20-Poly1305 algorithm is now supported.
v24.7.0

SHA-3 algorithms are now supported.
v24.7.0

SHAKE algorithms are now supported.
v24.7.0

ML-DSA algorithms are now supported.
v23.5.0, v22.13.0, v20.19.3

Algorithms Ed25519 and X25519 are now stable.
v20.0.0, v18.17.0

Arguments are now coerced and validated as per their WebIDL definitions like in other Web Crypto API implementations.
v19.0.0

No longer experimental except for the Ed25519, Ed448, X25519, and X448 algorithms.
v18.4.0, v16.17.0

Removed proprietary 'node.keyObject' import/export format.
v18.4.0, v16.17.0

Removed proprietary 'NODE-DSA', 'NODE-DH', and 'NODE-SCRYPT' algorithms.
v18.4.0, v16.17.0

Added 'Ed25519', 'Ed448', 'X25519', and 'X448' algorithms.
v18.4.0, v16.17.0

Removed proprietary 'NODE-ED25519' and 'NODE-ED448' algorithms.
v18.4.0, v16.17.0

Removed proprietary 'NODE-X25519' and 'NODE-X448' named curves from the 'ECDH' algorithm.

Stability: 2 - Stable

Node.js provides an implementation of the Web Crypto API standard.

Use globalThis.crypto or require('node:crypto').webcrypto to access this module.

const { subtle } = globalThis.crypto;

(async function() {

  const key = await subtle.generateKey({
    name: 'HMAC',
    hash: 'SHA-256',
    length: 256,
  }, true, ['sign', 'verify']);

  const enc = new TextEncoder();
  const message = enc.encode('I love cupcakes');

  const digest = await subtle.sign({
    name: 'HMAC',
  }, key, message);

})();
copy

Modern Algorithms in the Web Cryptography API

Stability: 1.1 - Active development

Node.js provides an implementation of the following features from the Modern Algorithms in the Web Cryptography API WICG proposal:

Algorithms:

  • 'AES-OCB'1
  • 'Argon2d'2
  • 'Argon2i'2
  • 'Argon2id'2
  • 'ChaCha20-Poly1305'
  • 'cSHAKE128'
  • 'cSHAKE256'
  • 'KMAC128'1
  • 'KMAC256'1
  • 'ML-DSA-44'3
  • 'ML-DSA-65'3
  • 'ML-DSA-87'3
  • 'ML-KEM-512'3
  • 'ML-KEM-768'3
  • 'ML-KEM-1024'3
  • 'SHA3-256'
  • 'SHA3-384'
  • 'SHA3-512'

Key Formats:

  • 'raw-public'
  • 'raw-secret'
  • 'raw-seed'

Methods:

Secure Curves in the Web Cryptography API

Stability: 1.1 - Active development

Node.js provides an implementation of the following features from the Secure Curves in the Web Cryptography API WICG proposal:

Algorithms:

  • 'Ed448'
  • 'X448'

Examples

Generating keys

The <SubtleCrypto> class can be used to generate symmetric (secret) keys or asymmetric key pairs (public key and private key).

AES keys
const { subtle } = globalThis.crypto;

async function generateAesKey(length = 256) {
  const key = await subtle.generateKey({
    name: 'AES-CBC',
    length,
  }, true, ['encrypt', 'decrypt']);

  return key;
}
copy
ECDSA key pairs
const { subtle } = globalThis.crypto;

async function generateEcKey(namedCurve = 'P-521') {
  const {
    publicKey,
    privateKey,
  } = await subtle.generateKey({
    name: 'ECDSA',
    namedCurve,
  }, true, ['sign', 'verify']);

  return { publicKey, privateKey };
}
copy
Ed25519/X25519 key pairs
const { subtle } = globalThis.crypto;

async function generateEd25519Key() {
  return subtle.generateKey({
    name: 'Ed25519',
  }, true, ['sign', 'verify']);
}

async function generateX25519Key() {
  return subtle.generateKey({
    name: 'X25519',
  }, true, ['deriveKey']);
}
copy
HMAC keys
const { subtle } = globalThis.crypto;

async function generateHmacKey(hash = 'SHA-256') {
  const key = await subtle.generateKey({
    name: 'HMAC',
    hash,
  }, true, ['sign', 'verify']);

  return key;
}
copy
RSA key pairs
const { subtle } = globalThis.crypto;
const publicExponent = new Uint8Array([1, 0, 1]);

async function generateRsaKey(modulusLength = 2048, hash = 'SHA-256') {
  const {
    publicKey,
    privateKey,
  } = await subtle.generateKey({
    name: 'RSASSA-PKCS1-v1_5',
    modulusLength,
    publicExponent,
    hash,
  }, true, ['sign', 'verify']);

  return { publicKey, privateKey };
}
copy

Encryption and decryption

const crypto = globalThis.crypto;

async function aesEncrypt(plaintext) {
  const ec = new TextEncoder();
  const key = await generateAesKey();
  const iv = crypto.getRandomValues(new Uint8Array(16));

  const ciphertext = await crypto.subtle.encrypt({
    name: 'AES-CBC',
    iv,
  }, key, ec.encode(plaintext));

  return {
    key,
    iv,
    ciphertext,
  };
}

async function aesDecrypt(ciphertext, key, iv) {
  const dec = new TextDecoder();
  const plaintext = await crypto.subtle.decrypt({
    name: 'AES-CBC',
    iv,
  }, key, ciphertext);

  return dec.decode(plaintext);
}
copy

Exporting and importing keys

const { subtle } = globalThis.crypto;

async function generateAndExportHmacKey(format = 'jwk', hash = 'SHA-512') {
  const key = await subtle.generateKey({
    name: 'HMAC',
    hash,
  }, true, ['sign', 'verify']);

  return subtle.exportKey(format, key);
}

async function importHmacKey(keyData, format = 'jwk', hash = 'SHA-512') {
  const key = await subtle.importKey(format, keyData, {
    name: 'HMAC',
    hash,
  }, true, ['sign', 'verify']);

  return key;
}
copy

Wrapping and unwrapping keys

const { subtle } = globalThis.crypto;

async function generateAndWrapHmacKey(format = 'jwk', hash = 'SHA-512') {
  const [
    key,
    wrappingKey,
  ] = await Promise.all([
    subtle.generateKey({
      name: 'HMAC', hash,
    }, true, ['sign', 'verify']),
    subtle.generateKey({
      name: 'AES-KW',
      length: 256,
    }, true, ['wrapKey', 'unwrapKey']),
  ]);

  const wrappedKey = await subtle.wrapKey(format, key, wrappingKey, 'AES-KW');

  return { wrappedKey, wrappingKey };
}

async function unwrapHmacKey(
  wrappedKey,
  wrappingKey,
  format = 'jwk',
  hash = 'SHA-512') {

  const key = await subtle.unwrapKey(
    format,
    wrappedKey,
    wrappingKey,
    'AES-KW',
    { name: 'HMAC', hash },
    true,
    ['sign', 'verify']);

  return key;
}
copy

Sign and verify

const { subtle } = globalThis.crypto;

async function sign(key, data) {
  const ec = new TextEncoder();
  const signature =
    await subtle.sign('RSASSA-PKCS1-v1_5', key, ec.encode(data));
  return signature;
}

async function verify(key, signature, data) {
  const ec = new TextEncoder();
  const verified =
    await subtle.verify(
      'RSASSA-PKCS1-v1_5',
      key,
      signature,
      ec.encode(data));
  return verified;
}
copy

Deriving bits and keys

const { subtle } = globalThis.crypto;

async function pbkdf2(pass, salt, iterations = 1000, length = 256) {
  const ec = new TextEncoder();
  const key = await subtle.importKey(
    'raw',
    ec.encode(pass),
    'PBKDF2',
    false,
    ['deriveBits']);
  const bits = await subtle.deriveBits({
    name: 'PBKDF2',
    hash: 'SHA-512',
    salt: ec.encode(salt),
    iterations,
  }, key, length);
  return bits;
}

async function pbkdf2Key(pass, salt, iterations = 1000, length = 256) {
  const ec = new TextEncoder();
  const keyMaterial = await subtle.importKey(
    'raw',
    ec.encode(pass),
    'PBKDF2',
    false,
    ['deriveKey']);
  const key = await subtle.deriveKey({
    name: 'PBKDF2',
    hash: 'SHA-512',
    salt: ec.encode(salt),
    iterations,
  }, keyMaterial, {
    name: 'AES-GCM',
    length,
  }, true, ['encrypt', 'decrypt']);
  return key;
}
copy

Digest

const { subtle } = globalThis.crypto;

async function digest(data, algorithm = 'SHA-512') {
  const ec = new TextEncoder();
  const digest = await subtle.digest(algorithm, ec.encode(data));
  return digest;
}
copy

Checking for runtime algorithm support

SubtleCrypto.supports() allows feature detection in Web Crypto API, which can be used to detect whether a given algorithm identifier (including its parameters) is supported for the given operation.

This example derives a key from a password using Argon2, if available, or PBKDF2, otherwise; and then encrypts and decrypts some text with it using AES-OCB, if available, and AES-GCM, otherwise.

const { SubtleCrypto, crypto } = globalThis;

const password = 'correct horse battery staple';
const derivationAlg =
  SubtleCrypto.supports?.('importKey', 'Argon2id') ?
    'Argon2id' :
    'PBKDF2';
const encryptionAlg =
  SubtleCrypto.supports?.('importKey', 'AES-OCB') ?
    'AES-OCB' :
    'AES-GCM';
const passwordKey = await crypto.subtle.importKey(
  derivationAlg === 'Argon2id' ? 'raw-secret' : 'raw',
  new TextEncoder().encode(password),
  derivationAlg,
  false,
  ['deriveKey'],
);
const nonce = crypto.getRandomValues(new Uint8Array(16));
const derivationParams =
  derivationAlg === 'Argon2id' ?
    {
      nonce,
      parallelism: 4,
      memory: 2 ** 21,
      passes: 1,
    } :
    {
      salt: nonce,
      iterations: 100_000,
      hash: 'SHA-256',
    };
const key = await crypto.subtle.deriveKey(
  {
    name: derivationAlg,
    ...derivationParams,
  },
  passwordKey,
  {
    name: encryptionAlg,
    length: 256,
  },
  false,
  ['encrypt', 'decrypt'],
);
const plaintext = 'Hello, world!';
const iv = crypto.getRandomValues(new Uint8Array(16));
const encrypted = await crypto.subtle.encrypt(
  { name: encryptionAlg, iv },
  key,
  new TextEncoder().encode(plaintext),
);
const decrypted = new TextDecoder().decode(await crypto.subtle.decrypt(
  { name: encryptionAlg, iv },
  key,
  encrypted,
));
copy

Algorithm matrix

The tables details the algorithms supported by the Node.js Web Crypto API implementation and the APIs supported for each:

Key Management APIs

Algorithm subtle.generateKey() subtle.exportKey() subtle.importKey() subtle.getPublicKey()
'AES-CBC'
'AES-CTR'
'AES-GCM'
'AES-KW'
'AES-OCB'
'Argon2d'
'Argon2i'
'Argon2id'
'ChaCha20-Poly1305'4
'ECDH'
'ECDSA'
'Ed25519'
'Ed448'5
'HKDF'
'HMAC'
'KMAC128'4
'KMAC256'4
'ML-DSA-44'4
'ML-DSA-65'4
'ML-DSA-87'4
'ML-KEM-512'4
'ML-KEM-768'4
'ML-KEM-1024'4
'PBKDF2'
'RSA-OAEP'
'RSA-PSS'
'RSASSA-PKCS1-v1_5'
'X25519'
'X448'5

Crypto Operation APIs

Column Legend:

Algorithm Encryption Signatures and MAC Key or Bits Derivation Key Wrapping Key Encapsulation Digest
'AES-CBC'
'AES-CTR'
'AES-GCM'
'AES-KW'
'AES-OCB'
'Argon2d'
'Argon2i'
'Argon2id'
'ChaCha20-Poly1305'4
'cSHAKE128'4
'cSHAKE256'4
'ECDH'
'ECDSA'
'Ed25519'
'Ed448'5
'HKDF'
'HMAC'
'KMAC128'4
'KMAC256'4
'ML-DSA-44'4
'ML-DSA-65'4
'ML-DSA-87'4
'ML-KEM-512'4
'ML-KEM-768'4
'ML-KEM-1024'4
'PBKDF2'
'RSA-OAEP'
'RSA-PSS'
'RSASSA-PKCS1-v1_5'
'SHA-1'
'SHA-256'
'SHA-384'
'SHA-512'
'SHA3-256'4
'SHA3-384'4
'SHA3-512'4
'X25519'
'X448'5

Class: Crypto

Added in: v15.0.0

globalThis.crypto is an instance of the Crypto class. Crypto is a singleton that provides access to the remainder of the crypto API.

crypto.subtle

Added in: v15.0.0

Provides access to the SubtleCrypto API.

crypto.getRandomValues(typedArray)

Added in: v15.0.0

Generates cryptographically strong random values. The given typedArray is filled with random values, and a reference to typedArray is returned.

The given typedArray must be an integer-based instance of <TypedArray>, i.e. Float32Array and Float64Array are not accepted.

An error will be thrown if the given typedArray is larger than 65,536 bytes.

crypto.randomUUID()

Added in: v16.7.0

Generates a random RFC 4122 version 4 UUID. The UUID is generated using a cryptographic pseudorandom number generator.

Class: CryptoKey

Added in: v15.0.0

cryptoKey.algorithm

Added in: v15.0.0

An object detailing the algorithm for which the key can be used along with additional algorithm-specific parameters.

Read-only.

cryptoKey.extractable

Added in: v15.0.0

When true, the <CryptoKey> can be extracted using either subtle.exportKey() or subtle.wrapKey().

Read-only.

cryptoKey.type

Added in: v15.0.0
  • Type: <string> One of 'secret', 'private', or 'public'.

A string identifying whether the key is a symmetric ('secret') or asymmetric ('private' or 'public') key.

cryptoKey.usages

Added in: v15.0.0

An array of strings identifying the operations for which the key may be used.

The possible usages are:

Valid key usages depend on the key algorithm (identified by cryptokey.algorithm.name).

Column Legend:

Supported Key Algorithm Encryption Signatures and MAC Key or Bits Derivation Key Wrapping Key Encapsulation
'AES-CBC'
'AES-CTR'
'AES-GCM'
'AES-KW'
'AES-OCB'
'Argon2d'
'Argon2i'
'Argon2id'
'ChaCha20-Poly1305'4
'ECDH'
'ECDSA'
'Ed25519'
'Ed448'5
'HDKF'
'HMAC'
'KMAC128'4
'KMAC256'4
'ML-DSA-44'4
'ML-DSA-65'4
'ML-DSA-87'4
'ML-KEM-512'4
'ML-KEM-768'4
'ML-KEM-1024'4
'PBKDF2'
'RSA-OAEP'
'RSA-PSS'
'RSASSA-PKCS1-v1_5'
'X25519'
'X448'5

Class: CryptoKeyPair

Added in: v15.0.0

The CryptoKeyPair is a simple dictionary object with publicKey and privateKey properties, representing an asymmetric key pair.

cryptoKeyPair.privateKey

Added in: v15.0.0

cryptoKeyPair.publicKey

Added in: v15.0.0

Class: SubtleCrypto

Added in: v15.0.0

Static method: SubtleCrypto.supports(operation, algorithm[, lengthOrAdditionalAlgorithm])

Added in: v24.7.0

Stability: 1.1 - Active development

  • operation <string> "encrypt", "decrypt", "sign", "verify", "digest", "generateKey", "deriveKey", "deriveBits", "importKey", "exportKey", "getPublicKey", "wrapKey", "unwrapKey", "encapsulateBits", "encapsulateKey", "decapsulateBits", or "decapsulateKey"
  • algorithm <string> | <Algorithm>
  • lengthOrAdditionalAlgorithm <null> | <number> | <string> | <Algorithm> | <undefined> Depending on the operation this is either ignored, the value of the length argument when operation is "deriveBits", the algorithm of key to be derived when operation is "deriveKey", the algorithm of key to be exported before wrapping when operation is "wrapKey", the algorithm of key to be imported after unwrapping when operation is "unwrapKey", or the algorithm of key to be imported after en/decapsulating a key when operation is "encapsulateKey" or "decapsulateKey". Default: null when operation is "deriveBits", undefined otherwise.
  • Returns: <boolean> Indicating whether the implementation supports the given operation

Allows feature detection in Web Crypto API, which can be used to detect whether a given algorithm identifier (including its parameters) is supported for the given operation.

See Checking for runtime algorithm support for an example use of this method.

subtle.decapsulateBits(decapsulationAlgorithm, decapsulationKey, ciphertext)

Added in: v24.7.0

Stability: 1.1 - Active development

A message recipient uses their asymmetric private key to decrypt an "encapsulated key" (ciphertext), thereby recovering a temporary symmetric key (represented as <ArrayBuffer>) which is then used to decrypt a message.

The algorithms currently supported include:

  • 'ML-KEM-512'4
  • 'ML-KEM-768'4
  • 'ML-KEM-1024'4

subtle.decapsulateKey(decapsulationAlgorithm, decapsulationKey, ciphertext, sharedKeyAlgorithm, extractable, usages)

Added in: v24.7.0

Stability: 1.1 - Active development

A message recipient uses their asymmetric private key to decrypt an "encapsulated key" (ciphertext), thereby recovering a temporary symmetric key (represented as <CryptoKey>) which is then used to decrypt a message.

The algorithms currently supported include:

  • 'ML-KEM-512'4
  • 'ML-KEM-768'4
  • 'ML-KEM-1024'4

subtle.decrypt(algorithm, key, data)

Added in: v15.0.0
History
Version Changes
v24.7.0

AES-OCB algorithm is now supported.
v24.7.0

ChaCha20-Poly1305 algorithm is now supported.

Using the method and parameters specified in algorithm and the keying material provided by key, this method attempts to decipher the provided data. If successful, the returned promise will be resolved with an <ArrayBuffer> containing the plaintext result.

The algorithms currently supported include:

  • 'AES-CBC'
  • 'AES-CTR'
  • 'AES-GCM'
  • 'AES-OCB'4
  • 'ChaCha20-Poly1305'4
  • 'RSA-OAEP'

subtle.deriveBits(algorithm, baseKey[, length])

Added in: v15.0.0
History
Version Changes
v24.8.0

Argon2 algorithms are now supported.
v22.5.0, v20.17.0, v18.20.5

The length parameter is now optional for 'ECDH', 'X25519', and 'X448'.
v18.4.0, v16.17.0

Added 'X25519', and 'X448' algorithms.

Using the method and parameters specified in algorithm and the keying material provided by baseKey, this method attempts to generate length bits.

When length is not provided or null the maximum number of bits for a given algorithm is generated. This is allowed for the 'ECDH', 'X25519', and 'X448'5 algorithms, for other algorithms length is required to be a number.

If successful, the returned promise will be resolved with an <ArrayBuffer> containing the generated data.

The algorithms currently supported include:

  • 'Argon2d'4
  • 'Argon2i'4
  • 'Argon2id'4
  • 'ECDH'
  • 'HKDF'
  • 'PBKDF2'
  • 'X25519'
  • 'X448'5

subtle.deriveKey(algorithm, baseKey, derivedKeyAlgorithm, extractable, keyUsages)

Added in: v15.0.0
History
Version Changes
v24.8.0

Argon2 algorithms are now supported.
v18.4.0, v16.17.0

Added 'X25519', and 'X448' algorithms.

Using the method and parameters specified in algorithm, and the keying material provided by baseKey, this method attempts to generate a new <CryptoKey> based on the method and parameters in derivedKeyAlgorithm.

Calling this method is equivalent to calling subtle.deriveBits() to generate raw keying material, then passing the result into the subtle.importKey() method using the deriveKeyAlgorithm, extractable, and keyUsages parameters as input.

The algorithms currently supported include:

  • 'Argon2d'4
  • 'Argon2i'4
  • 'Argon2id'4
  • 'ECDH'
  • 'HKDF'
  • 'PBKDF2'
  • 'X25519'
  • 'X448'5

subtle.digest(algorithm, data)

Added in: v15.0.0
History
Version Changes
v24.7.0

SHA-3 algorithms are now supported.
v24.7.0

SHAKE algorithms are now supported.

Using the method identified by algorithm, this method attempts to generate a digest of data. If successful, the returned promise is resolved with an <ArrayBuffer> containing the computed digest.

If algorithm is provided as a <string>, it must be one of:

  • 'cSHAKE128'4
  • 'cSHAKE256'4
  • 'SHA-1'
  • 'SHA-256'
  • 'SHA-384'
  • 'SHA-512'
  • 'SHA3-256'4
  • 'SHA3-384'4
  • 'SHA3-512'4

If algorithm is provided as an <Object>, it must have a name property whose value is one of the above.

subtle.encapsulateBits(encapsulationAlgorithm, encapsulationKey)

Added in: v24.7.0

Stability: 1.1 - Active development

Uses a message recipient's asymmetric public key to encrypt a temporary symmetric key. This encrypted key is the "encapsulated key" represented as {EncapsulatedBits}.

The algorithms currently supported include:

  • 'ML-KEM-512'4
  • 'ML-KEM-768'4
  • 'ML-KEM-1024'4

subtle.encapsulateKey(encapsulationAlgorithm, encapsulationKey, sharedKeyAlgorithm, extractable, usages)

Added in: v24.7.0

Stability: 1.1 - Active development

Uses a message recipient's asymmetric public key to encrypt a temporary symmetric key. This encrypted key is the "encapsulated key" represented as {EncapsulatedKey}.

The algorithms currently supported include:

  • 'ML-KEM-512'4
  • 'ML-KEM-768'4
  • 'ML-KEM-1024'4

subtle.encrypt(algorithm, key, data)

Added in: v15.0.0
History
Version Changes
v24.7.0

AES-OCB algorithm is now supported.
v24.7.0

ChaCha20-Poly1305 algorithm is now supported.

Using the method and parameters specified by algorithm and the keying material provided by key, this method attempts to encipher data. If successful, the returned promise is resolved with an <ArrayBuffer> containing the encrypted result.

The algorithms currently supported include:

  • 'AES-CBC'
  • 'AES-CTR'
  • 'AES-GCM'
  • 'AES-OCB'4
  • 'ChaCha20-Poly1305'4
  • 'RSA-OAEP'

subtle.exportKey(format, key)

Added in: v15.0.0
History
Version Changes
v24.8.0

KMAC algorithms are now supported.
v24.7.0

ML-KEM algorithms are now supported.
v24.7.0

ChaCha20-Poly1305 algorithm is now supported.
v24.7.0

ML-DSA algorithms are now supported.
v18.4.0, v16.17.0

Added 'Ed25519', 'Ed448', 'X25519', and 'X448' algorithms.
v15.9.0

Removed 'NODE-DSA' JWK export.

Exports the given key into the specified format, if supported.

If the <CryptoKey> is not extractable, the returned promise will reject.

When format is either 'pkcs8' or 'spki' and the export is successful, the returned promise will be resolved with an <ArrayBuffer> containing the exported key data.

When format is 'jwk' and the export is successful, the returned promise will be resolved with a JavaScript object conforming to the JSON Web Key specification.

Supported Key Algorithm 'spki' 'pkcs8' 'jwk' 'raw' 'raw-secret' 'raw-public' 'raw-seed'
'AES-CBC'
'AES-CTR'
'AES-GCM'
'AES-KW'
'AES-OCB'4
'ChaCha20-Poly1305'4
'ECDH'
'ECDSA'
'Ed25519'
'Ed448'5
'HMAC'
'KMAC128'4
'KMAC256'4
'ML-DSA-44'4
'ML-DSA-65'4
'ML-DSA-87'4
'ML-KEM-512'4
'ML-KEM-768'4
'ML-KEM-1024'4
'RSA-OAEP'
'RSA-PSS'
'RSASSA-PKCS1-v1_5'

subtle.getPublicKey(key, keyUsages)

Added in: v24.7.0

Stability: 1.1 - Active development

Derives the public key from a given private key.

subtle.generateKey(algorithm, extractable, keyUsages)

Added in: v15.0.0
History
Version Changes
v24.8.0

KMAC algorithms are now supported.
v24.7.0

ML-KEM algorithms are now supported.
v24.7.0

ChaCha20-Poly1305 algorithm is now supported.
v24.7.0

ML-DSA algorithms are now supported.

Using the parameters provided in algorithm, this method attempts to generate new keying material. Depending on the algorithm used either a single <CryptoKey> or a <CryptoKeyPair> is generated.

The <CryptoKeyPair> (public and private key) generating algorithms supported include:

  • 'ECDH'
  • 'ECDSA'
  • 'Ed25519'
  • 'Ed448'5
  • 'ML-DSA-44'4
  • 'ML-DSA-65'4
  • 'ML-DSA-87'4
  • 'ML-KEM-512'4
  • 'ML-KEM-768'4
  • 'ML-KEM-1024'4
  • 'RSA-OAEP'
  • 'RSA-PSS'
  • 'RSASSA-PKCS1-v1_5'
  • 'X25519'
  • 'X448'5

The <CryptoKey> (secret key) generating algorithms supported include:

  • 'AES-CBC'
  • 'AES-CTR'
  • 'AES-GCM'
  • 'AES-KW'
  • 'AES-OCB'4
  • 'ChaCha20-Poly1305'4
  • 'HMAC'
  • 'KMAC128'4
  • 'KMAC256'4

subtle.importKey(format, keyData, algorithm, extractable, keyUsages)

Added in: v15.0.0
History
Version Changes
v24.8.0

KMAC algorithms are now supported.
v24.7.0

ML-KEM algorithms are now supported.
v24.7.0

ChaCha20-Poly1305 algorithm is now supported.
v24.7.0

ML-DSA algorithms are now supported.
v18.4.0, v16.17.0

Added 'Ed25519', 'Ed448', 'X25519', and 'X448' algorithms.
v15.9.0

Removed 'NODE-DSA' JWK import.

This method attempts to interpret the provided keyData as the given format to create a <CryptoKey> instance using the provided algorithm, extractable, and keyUsages arguments. If the import is successful, the returned promise will be resolved with a <CryptoKey> representation of the key material.

If importing KDF algorithm keys, extractable must be false.

The algorithms currently supported include:

Supported Key Algorithm 'spki' 'pkcs8' 'jwk' 'raw' 'raw-secret' 'raw-public' 'raw-seed'
'AES-CBC'
'AES-CTR'
'AES-GCM'
'AES-KW'
'AES-OCB'4
'Argon2d'4
'Argon2i'4
'Argon2id'4
'ChaCha20-Poly1305'4
'ECDH'
'ECDSA'
'Ed25519'
'Ed448'5
'HDKF'
'HMAC'
'KMAC128'4
'KMAC256'4
'ML-DSA-44'4
'ML-DSA-65'4
'ML-DSA-87'4
'ML-KEM-512'4
'ML-KEM-768'4
'ML-KEM-1024'4
'PBKDF2'
'RSA-OAEP'
'RSA-PSS'
'RSASSA-PKCS1-v1_5'
'X25519'
'X448'5

subtle.sign(algorithm, key, data)

Added in: v15.0.0
History
Version Changes
v24.8.0

KMAC algorithms are now supported.
v24.7.0

ML-DSA algorithms are now supported.
v18.4.0, v16.17.0

Added 'Ed25519', and 'Ed448' algorithms.

Using the method and parameters given by algorithm and the keying material provided by key, this method attempts to generate a cryptographic signature of data. If successful, the returned promise is resolved with an <ArrayBuffer> containing the generated signature.

The algorithms currently supported include:

  • 'ECDSA'
  • 'Ed25519'
  • 'Ed448'5
  • 'HMAC'
  • 'KMAC128'4
  • 'KMAC256'4
  • 'ML-DSA-44'4
  • 'ML-DSA-65'4
  • 'ML-DSA-87'4
  • 'RSA-PSS'
  • 'RSASSA-PKCS1-v1_5'

subtle.unwrapKey(format, wrappedKey, unwrappingKey, unwrapAlgo, unwrappedKeyAlgo, extractable, keyUsages)

Added in: v15.0.0
History
Version Changes
v24.7.0

AES-OCB algorithm is now supported.
v24.7.0

ChaCha20-Poly1305 algorithm is now supported.

In cryptography, "wrapping a key" refers to exporting and then encrypting the keying material. This method attempts to decrypt a wrapped key and create a <CryptoKey> instance. It is equivalent to calling subtle.decrypt() first on the encrypted key data (using the wrappedKey, unwrapAlgo, and unwrappingKey arguments as input) then passing the results to the subtle.importKey() method using the unwrappedKeyAlgo, extractable, and keyUsages arguments as inputs. If successful, the returned promise is resolved with a <CryptoKey> object.

The wrapping algorithms currently supported include:

  • 'AES-CBC'
  • 'AES-CTR'
  • 'AES-GCM'
  • 'AES-KW'
  • 'AES-OCB'4
  • 'ChaCha20-Poly1305'4
  • 'RSA-OAEP'

The unwrapped key algorithms supported include:

  • 'AES-CBC'
  • 'AES-CTR'
  • 'AES-GCM'
  • 'AES-KW'
  • 'AES-OCB'4
  • 'ChaCha20-Poly1305'4
  • 'ECDH'
  • 'ECDSA'
  • 'Ed25519'
  • 'Ed448'5
  • 'HMAC'
  • 'KMAC128'5
  • 'KMAC256'5
  • 'ML-DSA-44'4
  • 'ML-DSA-65'4
  • 'ML-DSA-87'4
  • 'ML-KEM-512'4
  • 'ML-KEM-768'4
  • 'ML-KEM-1024'4v
  • 'RSA-OAEP'
  • 'RSA-PSS'
  • 'RSASSA-PKCS1-v1_5'
  • 'X25519'
  • 'X448'5

subtle.verify(algorithm, key, signature, data)

Added in: v15.0.0
History
Version Changes
v24.8.0

KMAC algorithms are now supported.
v24.7.0

ML-DSA algorithms are now supported.
v18.4.0, v16.17.0

Added 'Ed25519', and 'Ed448' algorithms.

Using the method and parameters given in algorithm and the keying material provided by key, this method attempts to verify that signature is a valid cryptographic signature of data. The returned promise is resolved with either true or false.

The algorithms currently supported include:

  • 'ECDSA'
  • 'Ed25519'
  • 'Ed448'5
  • 'HMAC'
  • 'KMAC128'5
  • 'KMAC256'5
  • 'ML-DSA-44'4
  • 'ML-DSA-65'4
  • 'ML-DSA-87'4
  • 'RSA-PSS'
  • 'RSASSA-PKCS1-v1_5'

subtle.wrapKey(format, key, wrappingKey, wrapAlgo)

Added in: v15.0.0
History
Version Changes
v24.7.0

AES-OCB algorithm is now supported.
v24.7.0

ChaCha20-Poly1305 algorithm is now supported.

In cryptography, "wrapping a key" refers to exporting and then encrypting the keying material. This method exports the keying material into the format identified by format, then encrypts it using the method and parameters specified by wrapAlgo and the keying material provided by wrappingKey. It is the equivalent to calling subtle.exportKey() using format and key as the arguments, then passing the result to the subtle.encrypt() method using wrappingKey and wrapAlgo as inputs. If successful, the returned promise will be resolved with an <ArrayBuffer> containing the encrypted key data.

The wrapping algorithms currently supported include:

  • 'AES-CBC'
  • 'AES-CTR'
  • 'AES-GCM'
  • 'AES-KW'
  • 'AES-OCB'4
  • 'ChaCha20-Poly1305'4
  • 'RSA-OAEP'

Algorithm parameters

The algorithm parameter objects define the methods and parameters used by the various <SubtleCrypto> methods. While described here as "classes", they are simple JavaScript dictionary objects.

Class: Algorithm

Added in: v15.0.0
Algorithm.name
Added in: v15.0.0

Class: AeadParams

Added in: v15.0.0
aeadParams.additionalData
Added in: v15.0.0

Extra input that is not encrypted but is included in the authentication of the data. The use of additionalData is optional.

aeadParams.iv
Added in: v15.0.0

The initialization vector must be unique for every encryption operation using a given key.

aeadParams.name
Added in: v15.0.0
  • Type: <string> Must be 'AES-GCM', 'AES-OCB', or 'ChaCha20-Poly1305'.
aeadParams.tagLength
Added in: v15.0.0
  • Type: <number> The size in bits of the generated authentication tag.

Class: AesDerivedKeyParams

Added in: v15.0.0
aesDerivedKeyParams.name
Added in: v15.0.0
  • Type: <string> Must be one of 'AES-CBC', 'AES-CTR', 'AES-GCM', 'AES-OCB', or 'AES-KW'
aesDerivedKeyParams.length
Added in: v15.0.0

The length of the AES key to be derived. This must be either 128, 192, or 256.

Class: AesCbcParams

Added in: v15.0.0
aesCbcParams.iv
Added in: v15.0.0

Provides the initialization vector. It must be exactly 16-bytes in length and should be unpredictable and cryptographically random.

aesCbcParams.name
Added in: v15.0.0

Class: AesCtrParams

Added in: v15.0.0
aesCtrParams.counter
Added in: v15.0.0

The initial value of the counter block. This must be exactly 16 bytes long.

The AES-CTR method uses the rightmost length bits of the block as the counter and the remaining bits as the nonce.

aesCtrParams.length
Added in: v15.0.0
  • Type: <number> The number of bits in the aesCtrParams.counter that are to be used as the counter.
aesCtrParams.name
Added in: v15.0.0

Class: AesKeyAlgorithm

Added in: v15.0.0
aesKeyAlgorithm.length
Added in: v15.0.0

The length of the AES key in bits.

aesKeyAlgorithm.name
Added in: v15.0.0

Class: AesKeyGenParams

Added in: v15.0.0
aesKeyGenParams.length
Added in: v15.0.0

The length of the AES key to be generated. This must be either 128, 192, or 256.

aesKeyGenParams.name
Added in: v15.0.0
  • Type: <string> Must be one of 'AES-CBC', 'AES-CTR', 'AES-GCM', or 'AES-KW'

Class: Argon2Params

Added in: v24.8.0
argon2Params.associatedData
Added in: v24.8.0

Represents the optional associated data.

argon2Params.memory
Added in: v24.8.0

Represents the memory size in kibibytes. It must be at least 8 times the degree of parallelism.

argon2Params.name
Added in: v24.8.0
  • Type: <string> Must be one of 'Argon2d', 'Argon2i', or 'Argon2id'.
argon2Params.nonce
Added in: v24.8.0

Represents the nonce, which is a salt for password hashing applications.

argon2Params.parallelism
Added in: v24.8.0

Represents the degree of parallelism.

argon2Params.passes
Added in: v24.8.0

Represents the number of passes.

argon2Params.secretValue
Added in: v24.8.0

Represents the optional secret value.

argon2Params.version
Added in: v24.8.0

Represents the Argon2 version number. The default and currently only defined version is 19 (0x13).

Class: ContextParams

Added in: v24.7.0
contextParams.name
Added in: v24.7.0
  • Type: <string> Must be Ed4485, 'ML-DSA-44'4, 'ML-DSA-65'4, or 'ML-DSA-87'4.
contextParams.context
Added in: v24.7.0
History
Version Changes
v24.8.0

Non-empty context is now supported.

The context member represents the optional context data to associate with the message.

Class: CShakeParams

Added in: v24.7.0
cShakeParams.customization
Added in: v24.7.0

The customization member represents the customization string. The Node.js Web Crypto API implementation only supports zero-length customization which is equivalent to not providing customization at all.

cShakeParams.functionName
Added in: v24.7.0

The functionName member represents represents the function name, used by NIST to define functions based on cSHAKE. The Node.js Web Crypto API implementation only supports zero-length functionName which is equivalent to not providing functionName at all.

cShakeParams.length
Added in: v24.7.0
  • Type: <number> represents the requested output length in bits.
cShakeParams.name
Added in: v24.7.0
  • Type: <string> Must be 'cSHAKE128'4 or 'cSHAKE256'4

Class: EcdhKeyDeriveParams

Added in: v15.0.0
ecdhKeyDeriveParams.name
Added in: v15.0.0
  • Type: <string> Must be 'ECDH', 'X25519', or 'X448'5.
ecdhKeyDeriveParams.public
Added in: v15.0.0

ECDH key derivation operates by taking as input one parties private key and another parties public key -- using both to generate a common shared secret. The ecdhKeyDeriveParams.public property is set to the other parties public key.

Class: EcdsaParams

Added in: v15.0.0
ecdsaParams.hash
Added in: v15.0.0
History
Version Changes
v24.7.0

SHA-3 algorithms are now supported.

If represented as a <string>, the value must be one of:

  • 'SHA-1'
  • 'SHA-256'
  • 'SHA-384'
  • 'SHA-512'
  • 'SHA3-256'4
  • 'SHA3-384'4
  • 'SHA3-512'4

If represented as an <Algorithm>, the object's name property must be one of the above listed values.

ecdsaParams.name
Added in: v15.0.0

Class: EcKeyAlgorithm

Added in: v15.0.0
ecKeyAlgorithm.name
Added in: v15.0.0
ecKeyAlgorithm.namedCurve
Added in: v15.0.0

Class: EcKeyGenParams

Added in: v15.0.0
ecKeyGenParams.name
Added in: v15.0.0
  • Type: <string> Must be one of 'ECDSA' or 'ECDH'.
ecKeyGenParams.namedCurve
Added in: v15.0.0
  • Type: <string> Must be one of 'P-256', 'P-384', 'P-521'.

Class: EcKeyImportParams

Added in: v15.0.0
ecKeyImportParams.name
Added in: v15.0.0
  • Type: <string> Must be one of 'ECDSA' or 'ECDH'.
ecKeyImportParams.namedCurve
Added in: v15.0.0
  • Type: <string> Must be one of 'P-256', 'P-384', 'P-521'.

Class: EncapsulatedBits

Added in: v24.7.0

A temporary symmetric secret key (represented as <ArrayBuffer>) for message encryption and the ciphertext (that can be transmitted to the message recipient along with the message) encrypted by this shared key. The recipient uses their private key to determine what the shared key is which then allows them to decrypt the message.

encapsulatedBits.ciphertext
Added in: v24.7.0
encapsulatedBits.sharedKey
Added in: v24.7.0

Class: EncapsulatedKey

Added in: v24.7.0

A temporary symmetric secret key (represented as <CryptoKey>) for message encryption and the ciphertext (that can be transmitted to the message recipient along with the message) encrypted by this shared key. The recipient uses their private key to determine what the shared key is which then allows them to decrypt the message.

encapsulatedKey.ciphertext
Added in: v24.7.0
encapsulatedKey.sharedKey
Added in: v24.7.0

Class: HkdfParams

Added in: v15.0.0
hkdfParams.hash
Added in: v15.0.0
History
Version Changes
v24.7.0

SHA-3 algorithms are now supported.

If represented as a <string>, the value must be one of:

  • 'SHA-1'
  • 'SHA-256'
  • 'SHA-384'
  • 'SHA-512'
  • 'SHA3-256'4
  • 'SHA3-384'4
  • 'SHA3-512'4

If represented as an <Algorithm>, the object's name property must be one of the above listed values.

hkdfParams.info
Added in: v15.0.0

Provides application-specific contextual input to the HKDF algorithm. This can be zero-length but must be provided.

hkdfParams.name
Added in: v15.0.0
hkdfParams.salt
Added in: v15.0.0

The salt value significantly improves the strength of the HKDF algorithm. It should be random or pseudorandom and should be the same length as the output of the digest function (for instance, if using 'SHA-256' as the digest, the salt should be 256-bits of random data).

Class: HmacImportParams

Added in: v15.0.0
hmacImportParams.hash
Added in: v15.0.0
History
Version Changes
v24.7.0

SHA-3 algorithms are now supported.

If represented as a <string>, the value must be one of:

  • 'SHA-1'
  • 'SHA-256'
  • 'SHA-384'
  • 'SHA-512'
  • 'SHA3-256'4
  • 'SHA3-384'4
  • 'SHA3-512'4

If represented as an <Algorithm>, the object's name property must be one of the above listed values.

hmacImportParams.length
Added in: v15.0.0

The optional number of bits in the HMAC key. This is optional and should be omitted for most cases.

hmacImportParams.name
Added in: v15.0.0

Class: HmacKeyAlgorithm

Added in: v15.0.0
hmacKeyAlgorithm.hash
Added in: v15.0.0
hmacKeyAlgorithm.length
Added in: v15.0.0

The length of the HMAC key in bits.

hmacKeyAlgorithm.name
Added in: v15.0.0

Class: HmacKeyGenParams

Added in: v15.0.0
hmacKeyGenParams.hash
Added in: v15.0.0
History
Version Changes
v24.7.0

SHA-3 algorithms are now supported.

If represented as a <string>, the value must be one of:

  • 'SHA-1'
  • 'SHA-256'
  • 'SHA-384'
  • 'SHA-512'
  • 'SHA3-256'4
  • 'SHA3-384'4
  • 'SHA3-512'4

If represented as an <Algorithm>, the object's name property must be one of the above listed values.

hmacKeyGenParams.length
Added in: v15.0.0

The number of bits to generate for the HMAC key. If omitted, the length will be determined by the hash algorithm used. This is optional and should be omitted for most cases.

hmacKeyGenParams.name
Added in: v15.0.0

Class: KeyAlgorithm

Added in: v15.0.0
keyAlgorithm.name
Added in: v15.0.0

Class: KmacImportParams

Added in: v24.8.0
kmacImportParams.length
Added in: v24.8.0

The optional number of bits in the KMAC key. This is optional and should be omitted for most cases.

kmacImportParams.name
Added in: v24.8.0
  • Type: <string> Must be 'KMAC128' or 'KMAC256'.

Class: KmacKeyAlgorithm

Added in: v24.8.0
kmacKeyAlgorithm.length
Added in: v24.8.0

The length of the KMAC key in bits.

kmacKeyAlgorithm.name
Added in: v24.8.0

Class: KmacKeyGenParams

Added in: v24.8.0
kmacKeyGenParams.length
Added in: v24.8.0

The number of bits to generate for the KMAC key. If omitted, the length will be determined by the KMAC algorithm used. This is optional and should be omitted for most cases.

kmacKeyGenParams.name
Added in: v24.8.0
  • Type: <string> Must be 'KMAC128' or 'KMAC256'.

Class: KmacParams

Added in: v24.8.0
kmacParams.algorithm
Added in: v24.8.0
  • Type: <string> Must be 'KMAC128' or 'KMAC256'.
kmacParams.customization
Added in: v24.8.0

The customization member represents the optional customization string.

kmacParams.length
Added in: v24.8.0

The length of the output in bytes. This must be a positive integer.

Class: Pbkdf2Params

Added in: v15.0.0
pbkdf2Params.hash
Added in: v15.0.0
History
Version Changes
v24.7.0

SHA-3 algorithms are now supported.

If represented as a <string>, the value must be one of:

  • 'SHA-1'
  • 'SHA-256'
  • 'SHA-384'
  • 'SHA-512'
  • 'SHA3-256'4
  • 'SHA3-384'4
  • 'SHA3-512'4

If represented as an <Algorithm>, the object's name property must be one of the above listed values.

pbkdf2Params.iterations
Added in: v15.0.0

The number of iterations the PBKDF2 algorithm should make when deriving bits.

pbkdf2Params.name
Added in: v15.0.0
pbkdf2Params.salt
Added in: v15.0.0

Should be at least 16 random or pseudorandom bytes.

Class: RsaHashedImportParams

Added in: v15.0.0
rsaHashedImportParams.hash
Added in: v15.0.0
History
Version Changes
v24.7.0

SHA-3 algorithms are now supported.

If represented as a <string>, the value must be one of:

  • 'SHA-1'
  • 'SHA-256'
  • 'SHA-384'
  • 'SHA-512'
  • 'SHA3-256'4
  • 'SHA3-384'4
  • 'SHA3-512'4

If represented as an <Algorithm>, the object's name property must be one of the above listed values.

rsaHashedImportParams.name
Added in: v15.0.0
  • Type: <string> Must be one of 'RSASSA-PKCS1-v1_5', 'RSA-PSS', or 'RSA-OAEP'.

Class: RsaHashedKeyAlgorithm

Added in: v15.0.0
rsaHashedKeyAlgorithm.hash
Added in: v15.0.0
rsaHashedKeyAlgorithm.modulusLength
Added in: v15.0.0

The length in bits of the RSA modulus.

rsaHashedKeyAlgorithm.name
Added in: v15.0.0
rsaHashedKeyAlgorithm.publicExponent
Added in: v15.0.0

The RSA public exponent.

Class: RsaHashedKeyGenParams

Added in: v15.0.0
rsaHashedKeyGenParams.hash
Added in: v15.0.0
History
Version Changes
v24.7.0

SHA-3 algorithms are now supported.

If represented as a <string>, the value must be one of:

  • 'SHA-1'
  • 'SHA-256'
  • 'SHA-384'
  • 'SHA-512'
  • 'SHA3-256'4
  • 'SHA3-384'4
  • 'SHA3-512'4

If represented as an <Algorithm>, the object's name property must be one of the above listed values.

rsaHashedKeyGenParams.modulusLength
Added in: v15.0.0

The length in bits of the RSA modulus. As a best practice, this should be at least 2048.

rsaHashedKeyGenParams.name
Added in: v15.0.0
  • Type: <string> Must be one of 'RSASSA-PKCS1-v1_5', 'RSA-PSS', or 'RSA-OAEP'.
rsaHashedKeyGenParams.publicExponent
Added in: v15.0.0

The RSA public exponent. This must be a <Uint8Array> containing a big-endian, unsigned integer that must fit within 32-bits. The <Uint8Array> may contain an arbitrary number of leading zero-bits. The value must be a prime number. Unless there is reason to use a different value, use new Uint8Array([1, 0, 1]) (65537) as the public exponent.

Class: RsaOaepParams

Added in: v15.0.0
rsaOaepParams.label
Added in: v15.0.0

An additional collection of bytes that will not be encrypted, but will be bound to the generated ciphertext.

The rsaOaepParams.label parameter is optional.

rsaOaepParams.name
Added in: v15.0.0

Class: RsaPssParams

Added in: v15.0.0
rsaPssParams.name
Added in: v15.0.0
rsaPssParams.saltLength
Added in: v15.0.0

The length (in bytes) of the random salt to use.

Footnotes

  1. Requires OpenSSL >= 3.0 2 3

  2. Requires OpenSSL >= 3.2 2 3

  3. Requires OpenSSL >= 3.5 2 3 4 5 6

  4. See Modern Algorithms in the Web Cryptography API 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150

  5. See Secure Curves in the Web Cryptography API 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

© Joyent, Inc. and other Node contributors
Licensed under the MIT License.
Node.js is a trademark of Joyent, Inc. and is used with its permission.
We are not endorsed by or affiliated with Joyent.
https://nodejs.org/api/webcrypto.html