credstore

Overview ¶

Package credstore stores cloud-provider credentials at rest, encrypted with a per-machine master key.

Design follows the same headless-friendly pattern as shared/secrets: Linux/macOS uses a 0600 file in $HOME (works over SSH, in CI, in containers with no graphical session); Windows uses the Credential Manager via go-keyring.

Storage layout (Linux/macOS):

~/.nextdeploy/credstore/master.key      # 32-byte random AES-256 key, mode 0600
~/.nextdeploy/credstore/<provider>.enc  # AES-GCM(payload), mode 0600

Each provider entry is a JSON map of credential field → value, encrypted as a single blob. Adding/removing fields is a re-encrypt of the whole entry.

All values returned by Load are auto-registered with the sensitive package so log redaction kicks in without callers having to remember.