Documentation
¶
Overview ¶
Package keychain provides cross-platform secure storage for secrets. - macOS: System Keychain stores DEK (Data Encryption Key), data encrypted with AES-256-GCM - Linux: File-based DEK storage with AES-256-GCM encryption - Windows: DPAPI + Registry storage
Index ¶
- Constants
- func CleanupLegacyBackup(configDir string) error
- func Exists(service, account string) bool
- func Get(service, account string) (string, error)
- func HasLegacyData(configDir string) bool
- func Remove(service, account string) error
- func Set(service, account, data string) error
- func StorageDir(service string) string
- type KeychainAccess
- type MigrationResult
Constants ¶
const ( // Service is the unified keychain service name for all secrets. Service = "dws-cli" // AccountToken is the account key for storing auth token data. AccountToken = "auth-token" )
Variables ¶
This section is empty.
Functions ¶
func CleanupLegacyBackup ¶
CleanupLegacyBackup removes the backup file created during migration. Call this after confirming the new keychain storage works correctly.
func Get ¶
Get retrieves a value from the keychain. Returns empty string and nil error if the entry does not exist.
func HasLegacyData ¶
HasLegacyData checks if legacy .data file exists.
func StorageDir ¶
StorageDir returns the storage directory for a given service name. Follows XDG Base Directory Specification: ~/.local/share/<service>
Types ¶
type KeychainAccess ¶
type KeychainAccess interface {
Get(service, account string) (string, error)
Set(service, account, value string) error
Remove(service, account string) error
}
KeychainAccess abstracts keychain Get/Set/Remove for dependency injection.
type MigrationResult ¶
type MigrationResult struct {
Migrated bool // true if migration was performed
FromPath string // source file path
BackupPath string // backup file path (if migrated)
Error error // error if migration failed
NeedRelogin bool // true if user needs to re-login
}
MigrationResult contains the result of a migration attempt.
func MigrateFromLegacy ¶
func MigrateFromLegacy(configDir string) *MigrationResult
MigrateFromLegacy attempts to migrate from the legacy MAC-based encryption to the new keychain-based storage. It: 1. Checks if legacy .data file exists 2. Tries to decrypt with MAC address 3. Re-encrypts and stores in keychain 4. Backs up the old file
If the keychain already has data, migration is skipped. If the legacy file doesn't exist, migration is skipped. If decryption fails (wrong MAC/corrupted), returns NeedRelogin=true.
Source Files