Security Recommendations

Security Recommendations#

This page is the practical answer to:

“Which Epicrypt option should I choose for a new application?”

Quick Picks#

If you are starting fresh, prefer these defaults:

  • Password hashing: PasswordHasher with SecurityProfile::MODERN

  • Password upgrades: verifyAndRehash()

  • App payload encryption: DataProtection\StringProtector

  • Large file encryption: DataProtection\FileProtector

  • Envelope-style protected storage: DataProtection\EnvelopeProtector

  • API tokens with one shared secret: Token\Jwt\SymmetricJwt

  • API tokens with separate signer/verifier trust: Token\Jwt\AsymmetricJwt

  • Revocable random bearer tokens: Token\Opaque\OpaqueToken

  • Small signed action/reset payloads: Token\Payload\SignedPayload

  • Browser workflow tokens: Security domain helpers such as PasswordResetToken and SignedUrl

  • New ciphertext formats: modern DataProtection APIs

Public Surface First#

For new applications, start from these domains first:

  • Password

  • Token

  • DataProtection

  • Security

Treat these as lower-level or advanced:

  • Crypto for direct primitive control

Choose the Right Tool#

Passwords#

Use:

  • PasswordHasher for stored user passwords

  • PasswordStrength for quality feedback

  • verifyAndRehash() when you want login-time hash upgrades

Prefer:

  • SecurityProfile::MODERN

  • default Argon2id-based hashing

Avoid:

  • custom password hashing logic

  • storing app secrets as password hashes when you actually need reversible protection

Secrets and Stored Sensitive Values#

Use:

  • WrappedSecretManager for secrets that must be unwrapped later

  • SecureSecretSerializer for structured secret-bearing data

  • KeyRing plus rewrap helpers during rotation windows

Prefer:

  • one active master secret

  • short fallback windows for previous key versions

Protected Data#

Use:

  • StringProtector for ordinary application payloads

  • EnvelopeProtector when you want a structured encoded envelope

  • FileProtector for large files and streaming-safe encryption

  • FileProtector::reencryptWithAnyKey() when rotating protected files across key versions

Prefer:

  • re-encrypting artifacts under the active key when fallback keys match

  • decryptWithAnyKey() or reencryptWithAnyKey() only during rotation windows

  • result helpers like decryptWithAnyKeyResult() when rotation code needs to know which key matched

Avoid:

  • using low-level crypto primitives directly unless you really need them

Tokens#

Use:

  • SymmetricJwt when issuer and verifier share one secret

  • AsymmetricJwt when the signer should keep a private key and verifiers should only need public keys

  • OpaqueToken when token contents should stay server-side

  • SignedPayload for compact signed internal flows

Prefer:

  • kid plus key-set mode when rotating JWT signing keys

  • KeyRing-based verification helpers during short transition windows

  • verifyWithAnyKeyResult() when callers need to know whether a fallback key matched

Avoid:

  • mixing symmetric and asymmetric expectations in one verification path

  • exposing sensitive state in JWT claims when opaque tokens fit better

Crypto Primitives#

Use:

  • AeadCipher for authenticated encryption of short payloads

  • SecretBoxCipher when you specifically want secretbox semantics

  • SecretStream or FileProtector for large file workflows

  • Mac for shared-secret integrity

  • Signature for public/private signature verification

Prefer:

  • AeadAlgorithm::XCHACHA20_POLY1305_IETF for new AEAD usage

  • higher-level DataProtection APIs unless the primitive is truly what you need

Key Material and Derivation#

Use:

  • KeyMaterialGenerator for fresh random keys

  • KeyDeriver for derived keys

  • purpose-aware key generation helpers when available

Prefer:

  • generated keys for encryption keys

  • derived keys when the design specifically needs deterministic derivation

  • explicit context/info separation for derived subkeys

Key Rotation#

Use key-ring helpers during planned key rollover.

Prefer this pattern:

  1. issue new artifacts with the active key

  2. keep decode/verify paths able to read active and fallback keys during rollout

  3. re-encrypt or re-issue under the active key when a fallback key matches

  4. remove fallback keys after the rollover window closes

In particular:

  • prefer StringProtector and EnvelopeProtector for new protected data

  • follow the key rotation cookbook for active-key and fallback-key rollout patterns

Binary vs Base64URL#

Most public Epicrypt APIs expect Base64URL strings by default.

Use explicit context flags only when you are intentionally passing raw binary values, for example:

  • key_is_binary

  • nonce_is_binary

  • salt_is_binary

When possible, keep one format per application boundary instead of mixing both styles in the same layer.

Simple Rule of Thumb#

  • If a higher-level Password, Security, Token or DataProtection API fits your use case, choose it first.

  • Reach for Crypto primitives only when you need direct cryptographic control.

  • Prefer modern defaults and active-key rotation.