Documentation
¶
Overview ¶
Package secrets provides the encrypted secret vault.
Package secrets encrypts inline connection secrets and reusable credential material at rest behind a SecretStore interface, so the backend (local vault, KMS, …) is swappable without touching callers.
Index ¶
- Constants
- Variables
- func DecryptMap(ctx context.Context, store SecretStore, in map[string][]byte) (map[string]string, error)
- func EncodeMasterKey(key []byte) string
- func EncryptMap(ctx context.Context, store SecretStore, in map[string]string) (map[string][]byte, error)
- func GenerateMasterKey() ([]byte, error)
- func LoadMasterKey() ([]byte, error)
- func RedactParams(params map[string]string, secretKeys map[string]bool) map[string]string
- func ResolveMasterKey(key, file string) ([]byte, error)
- func State(present bool) string
- type SecretStore
- type Vault
Constants ¶
const ( EnvMasterKey = "SHELLCN_MASTER_KEY" // base64-encoded 32-byte key EnvMasterKeyFile = "SHELLCN_MASTER_KEY_FILE" // path to a file holding the key )
Environment variables the master key is loaded from.
const MasterKeySize = 32
MasterKeySize is the required master-key length (AES-256).
const Placeholder = "***"
Placeholder replaces a secret value anywhere it would otherwise be shown.
Variables ¶
var ( // ErrMasterKey is returned when the master key is missing or the wrong size. ErrMasterKey = errors.New("secrets: invalid master key") // ErrCiphertext is returned when a blob is malformed or fails authentication. ErrCiphertext = errors.New("secrets: invalid ciphertext") )
Functions ¶
func DecryptMap ¶
func DecryptMap(ctx context.Context, store SecretStore, in map[string][]byte) (map[string]string, error)
DecryptMap decrypts every ciphertext value into its plaintext string. Used at connect time to turn a connection's stored inline secrets into usable config.
func EncodeMasterKey ¶
EncodeMasterKey renders a key as base64 for storage in env/file.
func EncryptMap ¶
func EncryptMap(ctx context.Context, store SecretStore, in map[string]string) (map[string][]byte, error)
EncryptMap encrypts every plaintext value into ciphertext for storage.
func GenerateMasterKey ¶
GenerateMasterKey returns a fresh random 32-byte key (for dev / tooling).
func LoadMasterKey ¶
LoadMasterKey reads the AES-256 master key from the environment.
func RedactParams ¶
RedactParams returns a copy of params with the values of secretKeys replaced by Placeholder — used before params reach logs or the audit log.
func ResolveMasterKey ¶
ResolveMasterKey takes an inline base64 key (precedence) or a key file path holding base64 or raw 32 bytes.
Types ¶
type SecretStore ¶
type SecretStore interface {
Encrypt(ctx context.Context, plaintext []byte) ([]byte, error)
Decrypt(ctx context.Context, ciphertext []byte) ([]byte, error)
}
SecretStore encrypts and decrypts opaque blobs. Implementations keep the master key; callers never see it. The local vault uses envelope encryption (per-record data key wrapped by the master key); a KMS/OpenBao backend can drop in behind the same interface.
type Vault ¶
type Vault struct {
// contains filtered or unexported fields
}
Vault is the local AES-256-GCM SecretStore. Each Encrypt mints a random data key (DEK), encrypts the plaintext with it, then wraps the DEK with the master key (KEK). The self-describing blob layout is:
version(1) | kekNonce(12) | wrappedDEK(48) | dekNonce(12) | ciphertext(…)
Rotating the master key means unwrapping every record's DEK with the old KEK and re-wrapping with the new one — the bulk ciphertext is untouched.