securefile

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 6, 2026 License: MIT Imports: 9 Imported by: 0

Documentation

Overview

Package securefile provides AES-256-GCM encryption-at-rest for small on-disk blobs under a per-user random secret persisted (0600) beside the data file. The on-disk blob is nonce || ciphertext; GCM provides confidentiality AND tamper detection, so a corrupted/forged file fails closed on Open. It is a neutral, reusable extraction of the OAuth token store's encrypted-file backend, shared by the credential store (and available to other callers).

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Crypter

type Crypter struct {
	// contains filtered or unexported fields
}

Crypter encrypts a blob at rest with AES-256-GCM under a per-user random secret persisted (0600) at secretPath.

func NewCrypter

func NewCrypter(secretPath string) *Crypter

NewCrypter returns a Crypter whose key lives at secretPath (created on first Seal). Keep secretPath beside the data file (e.g. data + ".secret").

func (*Crypter) Open

func (c *Crypter) Open(blob []byte) ([]byte, error)

Open decrypts a nonce||ciphertext blob, failing closed on a missing secret, a short blob, or a failed authentication tag (tampering / wrong key).

func (*Crypter) Seal

func (c *Crypter) Seal(plaintext []byte) ([]byte, error)

Seal encrypts plaintext, prefixing a fresh random nonce. It creates the secret on first use.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL