This is a minimal command-line tool to encrypt and decrypt messages using RSA public/private key pairs. It supports multiple key pairs stored in a directory, automatically tries all private keys for decryption, and is compatible with standard OpenSSL PEM-format keys. It uses Node.js and the native crypto module only.
Supports both direct strings and file inputs, and outputs either raw text or JSON metadata.
You can replace KEY_NAME_HERE with what you want to call your key
openssl genpkey -algorithm RSA -out KEY_NAME_HERE.priv.pem -pkeyopt rsa_keygen_bits:2048openssl rsa -pubout -in KEY_NAME_HERE.priv.pem -out KEY_NAME_HERE.pub.pemPlace these files in your key directory, e.g. ~/.keys/.
- Keys must follow the naming pattern:
KEY_NAME_HERE.pub.pemfor public keys
KEY_NAME_HERE.priv.pemfor private keys
Note: If you are encrypting longer messages (+190~ characters) you must use the --aes flag.
Encrypt a message using the first or a specific public key:
node index.js --encrypt --key-id KEY_NAME_HERE --plaintext "my secret" -o encrypted.txtOr:
node index.js -e -ptf message.txt -id KEY_NAME_HEREDecrypt from a base64 string:
node index.js --cypher-text "..." Decrypt from a file and write output to a JSON file:
node index.js --cypher-text-file encrypted.txt --output result.jsonDecrypt to raw plaintext only:
node index.js --cypher-text-file encrypted.txt --rawNote: If you are encrypting longer messages (+190~ characters) you must use the --aes flag.
These can be used instead of CLI flags. CLI flags take precedence.
| Variable | Default | Description |
|---|---|---|
DEEC_KEYS |
~/.keys |
Directory to load key pairs from |
DEEC_MODE |
decrypt |
Either encrypt or decrypt |
DEEC_KEY_ID |
(optional) | Public key name to use when encrypting |
DEEC_OUTPUT |
(optional) | File to write output |
DEEC_PLAINTEXT |
(optional) | Plaintext string to encrypt |
DEEC_PLAINTEXT_FILE |
(optional) | File path containing plaintext |
DEEC_CIPHER_TEXT |
(optional) | Ciphertext string to decrypt |
DEEC_CIPHER_TEXT_FILE |
(optional) | File path containing ciphertext |
| Flag | Description |
|---|---|
--encrypt, -e |
Enable encryption mode |
--decrypt, -d |
Enable decryption mode (default) |
--keys <path>, -k <path> |
Override key directory |
--key-id <id>, -id <id> |
Public key ID to use when encrypting |
--output <file>, -o <file> |
File to write output |
--cypher-text <str>, -ct |
Ciphertext string to decrypt |
--cypher-text-file <file> |
Ciphertext file to decrypt |
--plaintext <str>, -pt |
Plaintext string to encrypt |
--plaintext-file <file> |
Plaintext file to encrypt |
--aes |
Enable hybrid AES+RSA encryption |
--raw |
Output raw plaintext (no JSON) |
--help, -h |
Show help menu |
By default, decryption results are printed as JSON:
{
"keyId": "main",
"padding": 4,
"hash": "sha256",
"output": "decrypted message here"
}Use --raw to print only the plaintext.
Use these tools for testing only. Do not paste private keys into these websites.
- Generate keys (Java-based): https://www.devglan.com/online-tools/rsa-encryption-decryption
- Encrypt/decrypt in browser (Node-compatible): https://emn178.github.io/online-tools/rsa/encrypt
Be sure to select SHA256 when encrypting. The default option will not work with Node.js.
Never share or expose your private keys. Store them securely and offline whenever possible. This tool uses standard RSA encryption but should not be considered secure without proper key handling practices.