API | Wiki | Latest releases | Slack channel
Tempel is a lightweight encryption framework that wraps the JVM's native crypto facilities to provide a particularly high-level Clojure API for easily protecting your users' data.
More than another collection of crypto utils, Tempel offers a coherent and opinionated API for secure data management and is focused on helping you with the toughest parts of actually using encryption in practice.
Its tiny API and focus on smart keychains helps shield you from unnecessary and error-prone complexity, greatly simplifying the most common data security needs.
2024-02-26v1.0.0-RC1: release info
See here for earlier releases.
- Easy-to-use, high-level API focused on common tasks like logins, encryption, signing, etc.
- Reasonable defaults including choice of algorithms and work factors.
- Future-proof data formats with auto-updated algorithms and work factors over time.
- Support for ⧉ symmetric, ⧉ asymmetric (public-key), and ⧉ end-to-end (E2EE) encryption.
- Automatic ⧉ scrypt and ⧉ pbkdf2 support for easy password-based key stretching.
- Simple key management API for password resets, key rotations, etc.
- Extensive beginner-oriented documentation, docstrings, and error messages.
- Comprehensive test suite with >60k unit tests.
Note that Tempel is not intended for interop with other cryptographic tools/APIs!
See for intro and usage:
(require
'[taoensso.tempel :as tempel]
'[taoensso.nippy :as nippy])
;; Create a new private `KeyChain`:
(def my-keychain! (tempel/keychain))
;; => {:n-sym 1, :n-prv 2, :n-pub 2, :secret? true}
;; Use our `KeyChain` to encrypt some data:
(def my-encrypted-data
(tempel/encrypt-with-symmetric-key
(nippy/freeze "My secret data")
my-keychain!)) ; => Encrypted bytes
;; Get back the original unencrypted data:
(nippy/thaw
(tempel/decrypt-with-symmetric-key
my-encrypted-data my-keychain!)) ; => "My secret data"
;; It's safe to store encrypted `KeyChain`s:
(def my-encrypted-keychain
(tempel/encrypt-keychain my-keychain!
{:password "My password"})) ; => Encrypted bytes
;; Get back the original unencrypted `KeyChain`:
(= my-keychain!
(tempel/decrypt-keychain my-encrypted-keychain
{:password "My password"})) ; => true
;; `KeyChain`s also support:
;; - `encrypt-with-1-keypair`
;; - `encrypt-with-2-keypairs`
;; - `sign`
;; See docstrings and/or wiki for more info!- Wiki (getting started, usage, etc.)
- API reference: cljdoc or Codox
- Support: Slack channel or GitHub issues
Tempel has a fixed scope, and is fully complete. I'm happy with its design and implementation, and believe it meets all its objectives in its current form. I'm not anticipating significant changes.
Still, given the sensitivity of the problem domain, I plan to approach Tempel's official stable release as a phased rollout to allow time for feedback before locking things down:
| Phase | Date | Release | Appropriate for |
|---|---|---|---|
| ➤ | 2024-02 | v1.0-RC1 |
Staging, with ephemeral or low-value data |
| 2024-08 | v1.0 final |
Production, with real data |
v1.0 final will be considered "done"- the library is expected to need see only minimal maintance from that point.
Important: while Tempel has been written and tested with care, the nature of the problem domain inevitably means that bugs and/or misuse can be especially harmful and/or easy to make.
Bugs and/or misuse could lead to security vulnerabilities or even permanent data loss.
Please be very careful evaluating Tempel and/or other cryptographic libraries/frameworks before use, especially new libraries/frameworks like Tempel!
See here for security advisories and/or to report security vulnerabilities.
You can help support continued work on this project, thank you!! 🙏
Copyright © 2023-2024 Peter Taoussanis.
Licensed under EPL 1.0 (same as Clojure).