Virgil Security implementation of the Password-Hardened Encryption (PHE) protocol — protects user passwords from offline attacks and makes stolen passwords useless even if the database is compromised.
- Go 1.26+
go get github.com/VirgilSecurity/virgil-phe-goimport phe "github.com/VirgilSecurity/virgil-phe-go"
// Generate server keypair
keypair, err := phe.GenerateServerKeypair()
// Create enrollment for a new user
enrollment, err := phe.GetEnrollment(keypair)
// Verify password
response, result, err := phe.VerifyPasswordExtended(keypair, request)
// Key rotation
token, newKeypair, err := phe.Rotate(keypair)// Create client
client, err := phe.NewClient(serverPublicKey, clientPrivateKey)
// Enroll user password
record, encryptionKey, err := client.EnrollAccount(password, enrollmentResponse)
// Create verify request
request, err := client.CreateVerifyPasswordRequest(password, record)
// Verify and decrypt
key, err := client.CheckResponseAndDecrypt(password, record, response)
// Update record after rotation
updatedRecord, err := phe.UpdateRecord(record, token)// AES-256-GCM encrypt/decrypt with HKDF key derivation
ciphertext, err := phe.Encrypt(data, key)
plaintext, err := phe.Decrypt(ciphertext, key)- Authors: Russell W. F. Lai, Christoph Egger, Manuel Reinert, Sherman S. M. Chow, Matteo Maffei and Dominique Schroder
- WhitePaper: https://virgilsecurity.com/wp-content/uploads/2018/11/PHE-Whitepaper-2018.pdf
- Go implementation by Alexey Ermishkin VirgilSecurity, Inc.