Documentation
¶
Overview ¶
Package secrets handles encryption/decryption operations via SOPS. It implements the design from ADR-050: Writ Encrypted Files via SOPS.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DecryptData ¶
DecryptData decrypts SOPS-encrypted data using the source path to determine format. SOPS handles key resolution via .sops.yaml + environment variables:
- SOPS_AGE_KEY: age key contents
- SOPS_AGE_KEY_FILE: path to age key file
- ~/.config/sops/age/keys.txt: default age key location
func DecryptFile ¶
DecryptFile decrypts a SOPS-encrypted file and writes to target with the specified permissions. If the file is already plaintext (smudge filter active), it copies as-is.
func IsEncrypted ¶
IsEncrypted checks if data is a SOPS-encrypted envelope. Returns false if the data is plaintext (e.g., smudge filter decrypted it).
func IsSecretFile ¶
IsSecretFile checks if a filename indicates an encrypted file. This checks extensions, not file content.
Types ¶
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
Manager handles encryption/decryption operations via SOPS.
func NewManager ¶
NewManager creates a Manager that searches for .sops.yaml starting from sourceRoot, walking up the directory tree. Returns nil (not an error) if no .sops.yaml is found.
func (*Manager) ConfigPath ¶
ConfigPath returns the path to the .sops.yaml file, or empty string if none.