encrypt

package

v0.1.0 Latest Latest Go to latest Published: Mar 16, 2026 License: MIT Imports: 10 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/Prasad-178/opaque

Links

Open Source Insights

Documentation ¶

Overview ¶

Package encrypt provides symmetric encryption for Tier 2 data-private storage. Uses AES-256-GCM for authenticated encryption.

Index ¶

Constants
Variables
func BytesToVector(data []byte) []float64
func DeriveKey(password string, salt []byte) []byte
func DeriveKeyWithSalt(password string) (key []byte, salt []byte, err error)
func GenerateKey() ([]byte, error)
func VectorDimension(data []byte) int
func VectorToBytes(vector []float64) []byte
type AESGCM
- func NewAESGCM(key []byte) (*AESGCM, error)
type Encryptor

Constants ¶

View Source

const (
	// KeySize is the size of AES-256 keys in bytes.
	KeySize = 32

	// NonceSize is the size of GCM nonces in bytes.
	NonceSize = 12

	// SaltSize is the size of salts for key derivation.
	SaltSize = 16

	// Argon2Time is the time parameter for Argon2id.
	Argon2Time = 1

	// Argon2Memory is the memory parameter for Argon2id (64 MB).
	Argon2Memory = 64 * 1024

	// Argon2Threads is the parallelism parameter for Argon2id.
	Argon2Threads = 4
)

Variables ¶

View Source

var (
	// ErrInvalidKey is returned when the encryption key is invalid.
	ErrInvalidKey = errors.New("invalid encryption key: must be 32 bytes")

	// ErrInvalidCiphertext is returned when ciphertext is too short.
	ErrInvalidCiphertext = errors.New("invalid ciphertext: too short")

	// ErrDecryptionFailed is returned when decryption fails (wrong key or tampered data).
	ErrDecryptionFailed = errors.New("decryption failed: authentication error")
)

Functions ¶

func BytesToVector ¶

func BytesToVector(data []byte) []float64

BytesToVector converts bytes back to a float64 slice.

func DeriveKey ¶

func DeriveKey(password string, salt []byte) []byte

DeriveKey derives a 256-bit key from a password and salt using Argon2id. This is suitable for user-provided passwords.

func DeriveKeyWithSalt ¶

func DeriveKeyWithSalt(password string) (key []byte, salt []byte, err error)

DeriveKeyWithSalt derives a key and returns both the key and a new random salt. Use this when creating a new encryption key from a password.

func GenerateKey ¶

func GenerateKey() ([]byte, error)

GenerateKey generates a cryptographically secure random 256-bit key. Use this when you don't need password-based key derivation.

func VectorDimension ¶

func VectorDimension(data []byte) int

VectorDimension returns the dimension of a vector stored in bytes.

func VectorToBytes ¶

func VectorToBytes(vector []float64) []byte

VectorToBytes converts a float64 slice to bytes using little-endian encoding.

Types ¶

type AESGCM ¶

type AESGCM struct {
	// contains filtered or unexported fields
}

AESGCM implements Encryptor using AES-256-GCM.

func NewAESGCM ¶

func NewAESGCM(key []byte) (*AESGCM, error)

NewAESGCM creates a new AES-256-GCM encryptor with the given key. Key must be exactly 32 bytes (256 bits).

func (*AESGCM) Decrypt ¶

func (e *AESGCM) Decrypt(ciphertext []byte) ([]byte, error)

Decrypt decrypts ciphertext encrypted with Encrypt.

func (*AESGCM) DecryptVector ¶

func (e *AESGCM) DecryptVector(ciphertext []byte) ([]float64, error)

DecryptVector decrypts a ciphertext back to a float64 vector.

func (*AESGCM) DecryptVectorWithID ¶

func (e *AESGCM) DecryptVectorWithID(ciphertext []byte, id string) ([]float64, error)

DecryptVectorWithID decrypts a vector and verifies the ID.

func (*AESGCM) DecryptWithAAD ¶

func (e *AESGCM) DecryptWithAAD(ciphertext, aad []byte) ([]byte, error)

DecryptWithAAD decrypts with additional authenticated data.

func (*AESGCM) Encrypt ¶

func (e *AESGCM) Encrypt(plaintext []byte) ([]byte, error)

Encrypt encrypts plaintext using AES-256-GCM. Returns: nonce (12 bytes) || ciphertext || tag (16 bytes)

func (*AESGCM) EncryptVector ¶

func (e *AESGCM) EncryptVector(vector []float64) ([]byte, error)

EncryptVector encrypts a float64 vector for storage. Converts to bytes, encrypts, and returns ciphertext.

func (*AESGCM) EncryptVectorWithID ¶

func (e *AESGCM) EncryptVectorWithID(vector []float64, id string) ([]byte, error)

EncryptVectorWithID encrypts a vector with its ID as additional authenticated data. This binds the ciphertext to the ID, preventing ID swapping attacks.

func (*AESGCM) EncryptWithAAD ¶

func (e *AESGCM) EncryptWithAAD(plaintext, aad []byte) ([]byte, error)

EncryptWithAAD encrypts with additional authenticated data. AAD is authenticated but not encrypted (useful for metadata).

func (*AESGCM) KeyFingerprint ¶

func (e *AESGCM) KeyFingerprint() string

KeyFingerprint returns a SHA-256 fingerprint of the key (first 8 bytes, hex encoded). Useful for verifying key matches without exposing the key.

type Encryptor ¶

type Encryptor interface {
	// Encrypt encrypts plaintext and returns ciphertext (nonce prepended).
	Encrypt(plaintext []byte) ([]byte, error)

	// Decrypt decrypts ciphertext and returns plaintext.
	Decrypt(ciphertext []byte) ([]byte, error)

	// EncryptWithAAD encrypts with additional authenticated data.
	EncryptWithAAD(plaintext, aad []byte) ([]byte, error)

	// DecryptWithAAD decrypts with additional authenticated data.
	DecryptWithAAD(ciphertext, aad []byte) ([]byte, error)

	// KeyFingerprint returns a fingerprint of the current key (for verification).
	KeyFingerprint() string
}

Encryptor provides symmetric encryption operations.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL