Documentation
¶
Overview ¶
Package securefile provides AES-256-GCM encryption-at-rest for small on-disk blobs under a per-user random secret persisted (0600) beside the data file. The on-disk blob is nonce || ciphertext; GCM provides confidentiality AND tamper detection, so a corrupted/forged file fails closed on Open. It is a neutral, reusable extraction of the OAuth token store's encrypted-file backend, shared by the credential store (and available to other callers).
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Crypter ¶
type Crypter struct {
// contains filtered or unexported fields
}
Crypter encrypts a blob at rest with AES-256-GCM under a per-user random secret persisted (0600) at secretPath.
func NewCrypter ¶
NewCrypter returns a Crypter whose key lives at secretPath (created on first Seal). Keep secretPath beside the data file (e.g. data + ".secret").