I was surprised that branca-js only allows the provision of a "32 byte" key as a string of 32 bytes in length (from a set of password chars left up to the user) and not the much more cryptographically secure 32 bytes of actual random bytes (each byte 0-255).

If developers are using the password example you gave (supersecretkeyyoushouldnotcommit) and follow this pattern (all lower case) they are only getting 26^32 keyspace which is only 150 bits of entropy, not the required 256. Using a strong password generator to make use of upper, lower, numbers, and special chars still isn't nearly as strong as full bytes. If they generated 32 bytes of random hex (64 chars) they would be getting a 256^32 keyspace which is astronomically harder to brute force.

Using this "password" mechanism, without using a key-derivation function would seem to be an unsafe choice.

https://generatepasswords.org/how-to-calculate-entropy/

Possible combinations:

> 26**32
1.901722457268488e+45
> 256**32
1.157920892373162e+77

Entropy

> Math.log2(26**32)
150.41407098051494
> Math.log2(256**32)
256

The code change is trivial. Changing Buffer.from('apasswordstring') to Buffer.from('deadbeef', 'hex'). Of course this would be a breaking change, but a semver major version bump should allow for that in the name of greatly increased security.

Generating such a key in a node repl is trivial and secure:

> crypto.randomBytes(32).toString('hex')
'7ed049e344f73f399ba1f7868cf9494f4b13347ecce02a8e463feb32507b73a5'

Cheers.

I just wanted to let you know that I just added support for Branca in https://github.com/pascalgn/yaml-crypt
Fernet seems a bit unmaintained currently, so thanks for Branca! 👍

Hi, I noticed that you have a new README in the works for addressing the changes in #12

https://github.com/tuupola/branca-js/tree/key-readme

I have a few suggested changes you might consider for the new Key section. A new release with the updated README would be great.

## Secret key

The token is encrypted using a 32 byte secret key. You can pass the secret key either as an instance of `Buffer` or a hex encoded string. The value of the key must be protected and should not be stored in your application code. In the examples that follow the key is generated on the fly only for demonstration purposes.

From hex string:

```javascript
const key = "7ed049e344f73f399ba1f7868cf9494f4b13347ecce02a8e463feb32507b73a5";
const branca = require("branca")(key);
```

From a hex string as a Buffer:

```javascript
const key = Buffer.from("7ed049e344f73f399ba1f7868cf9494f4b13347ecce02a8e463feb32507b73a5", "hex");
const branca = require("branca")(key);
```

You should not use human readable, or memorable, strings as the secret key. Instead always generate the key using cryptographically secure random bytes. You can do this, for example, from the command-line with Node.js itself or `openssl`. 

```sh
$ node
Welcome to Node.js v16.2.0.
Type ".help" for more information.
> crypto.randomBytes(32).toString("hex")
'46cad3699da5766c45e80edfbf19dd2debc311e0c9046a80e791597442b2daf0'
```

```sh
$ openssl rand -hex 32
29f7d3a263bd6fcfe716865cbdb00b7a317d1993b8b7a3a5bae6192fbe0ace65
```

I see that you say:

Payload is encrypted and authenticated using IETF XChaCha20-Poly1305. Note that this is Authenticated Encryption with Additional Data (AEAD) where the he header part of the token is the additional data.

Awesome!

I wonder if you think Branca could be useful in helping me here (see this demo fiddle, also pasted below)?

//TODO: how can this key be replaced with the key at https://softwarerecs.stackexchange.com/q/52107/14834 ?
const key = "supersecretkeyyoushouldnotcommit";
const branca = require("branca")(key);

const origText = "shhh this is a secret";
const token = branca.encode(origText);
console.log('Now here is the encrypted version: ', token);

const payload = branca.decode(token);
console.log('Hopefully what appears here is the original again (after decryption): ', payload.toString());

if (origText === payload.toString()){
	console.log('Success!');
} else {
	console.error('ERROR: they do not match!');
}

It relates to my question on Stack Exchange about replacing libsodium.js.

Thanks for your help.