crypto

package

v0.8.2 Latest Latest Go to latest Published: Jun 11, 2026 License: MIT Imports: 10 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/coredipper/enclaude

Documentation ¶

Index ¶

Constants
func Decrypt(ciphertext []byte, identity age.Identity) ([]byte, error)
func DecryptWithPassphrase(ciphertext []byte, passphrase string) ([]byte, error)
func DeleteKey() error
func DeleteKeyFile() error
func Encrypt(plaintext []byte, recipient age.Recipient) ([]byte, error)
func EncryptWithPassphrase(plaintext []byte, passphrase string) ([]byte, error)
func GenerateKey() (*age.X25519Identity, error)
func KeyFileExists() bool
func KeyFilePath() (string, error)
func LoadKey() (*age.X25519Identity, string, error)
func LoadKeyFile(passphrase string) (*age.X25519Identity, error)
func LoadPublicKey() (*age.X25519Recipient, string, error)
func ParseIdentity(secretKey string) (*age.X25519Identity, error)
func ParseRecipient(publicKey string) (*age.X25519Recipient, error)
func ShredFile(path string) error
func StoreKey(identity *age.X25519Identity) (string, error)
func StoreKeyFile(identity *age.X25519Identity, passphrase string) error
type PassphraseFunc

Constants ¶

View Source

const (
	SourceEnv     = "env"
	SourceKeyring = "keyring"
	SourceFile    = "file"
)

Source identifiers returned by Load/Store operations.

Variables ¶

This section is empty.

Functions ¶

func Decrypt ¶

func Decrypt(ciphertext []byte, identity age.Identity) ([]byte, error)

Decrypt decrypts ciphertext using the given age identity (private key).

func DecryptWithPassphrase ¶

func DecryptWithPassphrase(ciphertext []byte, passphrase string) ([]byte, error)

DecryptWithPassphrase decrypts data encrypted with a passphrase.

func DeleteKey ¶

func DeleteKey() error

DeleteKey removes the age private key from both the OS keyring and the file fallback. Missing entries in either backend are ignored, including the case where the keyring backend itself is unavailable (headless Linux without Secret Service) — there is nothing to delete there, so the file fallback alone determines success.

func DeleteKeyFile ¶ added in v0.6.0

func DeleteKeyFile() error

DeleteKeyFile removes the fallback key file. Missing file is not an error.

func Encrypt ¶

func Encrypt(plaintext []byte, recipient age.Recipient) ([]byte, error)

Encrypt encrypts plaintext using the given age public key (recipient).

func EncryptWithPassphrase ¶

func EncryptWithPassphrase(plaintext []byte, passphrase string) ([]byte, error)

EncryptWithPassphrase encrypts data using a passphrase (for key backup).

func GenerateKey ¶

func GenerateKey() (*age.X25519Identity, error)

GenerateKey creates a new age X25519 identity (keypair).

func KeyFileExists ¶ added in v0.6.0

func KeyFileExists() bool

KeyFileExists reports whether the fallback key file is present.

func KeyFilePath ¶ added in v0.6.0

func KeyFilePath() (string, error)

KeyFilePath returns the path to the passphrase-encrypted key file used as a fallback when the OS keyring is unavailable. Honors ENCLAUDE_KEY_FILE for an explicit override, otherwise $XDG_CONFIG_HOME/enclaude/key.age.enc, falling back to ~/.config/enclaude/key.age.enc.

func LoadKey ¶

func LoadKey() (*age.X25519Identity, string, error)

LoadKey retrieves the age private key, trying (in order):

ENCLAUDE_KEY environment variable
OS keyring
passphrase-encrypted file fallback

func LoadKeyFile ¶ added in v0.6.0

func LoadKeyFile(passphrase string) (*age.X25519Identity, error)

LoadKeyFile reads and decrypts the fallback key file.

func LoadPublicKey ¶

func LoadPublicKey() (*age.X25519Recipient, string, error)

LoadPublicKey loads just the public key (for encryption-only operations).

func ParseIdentity ¶

func ParseIdentity(secretKey string) (*age.X25519Identity, error)

ParseIdentity parses an age secret key string into an Identity.

func ParseRecipient ¶

func ParseRecipient(publicKey string) (*age.X25519Recipient, error)

ParseRecipient parses an age public key string into a Recipient.

func ShredFile ¶

func ShredFile(path string) error

ShredFile overwrites a file with random data before deleting it. This provides better-than-nothing protection on HDDs. On SSDs with TRIM, this is less effective but still removes the plaintext file.

func StoreKey ¶

func StoreKey(identity *age.X25519Identity) (string, error)

StoreKey saves the age private key. It prefers the OS keyring; if the keyring is unavailable (e.g. headless Linux without Secret Service), it falls back to a passphrase-encrypted file under $XDG_CONFIG_HOME/enclaude. Returns SourceKeyring or SourceFile indicating where the key was written.

func StoreKeyFile ¶ added in v0.6.0

func StoreKeyFile(identity *age.X25519Identity, passphrase string) error

StoreKeyFile encrypts identity with passphrase (age scrypt) and writes it to the fallback location with 0600 permissions.

Types ¶

type PassphraseFunc ¶ added in v0.6.0

type PassphraseFunc func(prompt string, confirm bool) (string, error)

PassphraseFunc prompts the user for a passphrase. When confirm is true the implementation should prompt twice and verify the two inputs match.

var DefaultPassphraseFunc PassphraseFunc

DefaultPassphraseFunc is consulted by StoreKey/LoadKey when the OS keyring is unavailable and a passphrase is needed for the file fallback. The cmd layer wires this to ui.ReadPassphrase at startup.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL