ejson - A JSON file with asymmetric-key-encrypted values
An ejson file is syntactically a json file, but with a few minor semantic
additions described below.
ejson files are, by convention, saved with the extension ".ejson".
Each ejson file must have a key at the top level named "_public_key". This
implies that the top-level structure must be an object, not an array.
The "_public_key" key must have a string value, which is a hex-encoded
32-byte (totalling 64 ASCII bytes) public key as generated by ejson-keygen(1).
By convention, "_public_key" should be the first key in the file.
A value is considered encryptable if:
":");"_").Take special note of point 3. This is the reason "_public_key" isn't
encrypted, and can be used to construct metadata schemes. For example, in the
excerpt below, only the values for rotation_password and secret will be
encrypted.
"my_secret": {
"_description": "API key for foocorp",
"_rotation": "https://example.com/foocorp/apikey",
"_rotation_username": "admin",
"rotation_password": "password",
"secret": "123123123123123123123"
}
Also note that this underscore "unencryptable" attribute does not inherit. For
example, the password in this excerpt will be encrypted.
"_unencryptable": {
"password": "encrypted anyway"
}
When a value is encrypted, it will be replaced by a relatively long string of
the form "EJ[V:P:N:M]". The fields are:
V (decimal-as-string int)Schema Version, hard-coded to "1" for now
P (base64-encoded 32-byte array)Public key of an ephemeral keypair used to encrypt this key
N (base64-encoded 24-byte array)Nonce used to encrypt this key
M (base64-encoded variable-length array)Raw ciphertext
ejson(1) ejson-encrypt(1) ejson-decrypt(1) ejson-keygen(1)