keychain

package
v0.9.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 1, 2026 License: MIT Imports: 13 Imported by: 0

Documentation

Overview

Package keychain seals and retrieves the user's X25519 private key using the OS-native secret store (Keychain on macOS, Secret Service on Linux).

Index

Constants

This section is empty.

Variables

View Source
var ErrAlreadyExists = errors.New("key already exists for this id (delete it first to regenerate)")

ErrAlreadyExists is returned by Seal when a key already exists for the given id.

View Source
var ErrBadPassphrase = errors.New("incorrect passphrase or corrupted key blob")

ErrBadPassphrase is returned when the supplied passphrase fails to decrypt the stored key (wrong passphrase or tampered/corrupted blob). It is intentionally distinct from ErrNotFound so callers can tell "no key" from "wrong passphrase".

View Source
var ErrNotAvailable = errors.New("no keychain backend available on this system")

ErrNotAvailable is returned when no keychain backend is present on this system.

View Source
var ErrNotFound = errors.New("key not found in keychain")

ErrNotFound is returned when no key exists for the given id.

View Source
var ErrUnsupportedKeyVersion = errors.New("private key was written by a newer envault version — upgrade envault to use it")

ErrUnsupportedKeyVersion is returned when the keychain holds a key envelope written by a NEWER envault than this binary understands (e.g. a future v3 format), or a blob in no recognized format. Forward-compatibility guard: we fail loudly and actionably rather than silently misreading the bytes as a key.

Functions

This section is empty.

Types

type PassphraseFunc

type PassphraseFunc func(prompt string) ([]byte, error)

PassphraseFunc obtains the passphrase used to wrap/unwrap the private key. prompt is a human-readable hint describing why the passphrase is needed.

type Store

type Store interface {
	Seal(id string, privateKey []byte) error
	Unseal(id string) ([]byte, error)
	Delete(id string) error
}

Store seals and retrieves private key material in the OS-native secret store.

func New

func New() (Store, error)

New returns a Store backed by the Linux kernel keyring via keyctl(1).

func NewProtected

func NewProtected(inner Store, ask PassphraseFunc) Store

NewProtected wraps inner so that every Seal encrypts the private key under a passphrase-derived key (Argon2id → AES-256-GCM) and every Unseal decrypts it. Legacy unprotected blobs (raw 32-byte keys from older versions) are still readable, but new writes always use the protected format.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL