Documentation
¶
Index ¶
- Constants
- func Decrypt(key, nonce, ciphertext []byte) ([]byte, error)
- func DeriveKey(password, salt []byte) []byte
- func Encrypt(key, plaintext []byte) (ciphertext, nonce []byte, err error)
- func GenerateSalt() ([]byte, error)
- func PromptPassword(prompt string) ([]byte, error)
- func PromptPasswordConfirm(prompt, confirmPrompt string) ([]byte, error)
- func VerifyCanary(password, salt, nonce, encryptedCanary []byte) bool
- func ZeroBytes(b []byte)
Constants ¶
const ( // CanaryPlaintext is the known value encrypted in the canary record to // validate the master password without storing the password itself. CanaryPlaintext = "psst:canary:valid:v1" )
Variables ¶
This section is empty.
Functions ¶
func Decrypt ¶
Decrypt decrypts ciphertext with AES-256-GCM. GCM authentication ensures integrity; a wrong key or tampered ciphertext returns an error.
func DeriveKey ¶
DeriveKey derives a 32-byte AES key from password+salt using Argon2id. The call is intentionally slow to resist brute-force attacks.
func Encrypt ¶
Encrypt encrypts plaintext with AES-256-GCM using the provided 32-byte key. Returns (ciphertext, nonce, error). The nonce is randomly generated and must be stored alongside the ciphertext for decryption.
func GenerateSalt ¶
GenerateSalt returns 16 cryptographically random bytes.
func PromptPassword ¶
PromptPassword writes prompt to stderr and reads a password with echo suppressed. Returns an error if the password is empty.
func PromptPasswordConfirm ¶
PromptPasswordConfirm prompts twice and returns an error unless both entries match (compared in constant time to avoid timing leaks).
func VerifyCanary ¶
VerifyCanary derives the key from password+salt and attempts to decrypt the canary ciphertext, comparing the result against CanaryPlaintext in constant time. Returns true only if the password is correct.
Types ¶
This section is empty.
Source Files