Documentation
¶
Index ¶
- Constants
- Variables
- func DecryptSecretsFile(rootDir string) error
- func DecryptYAMLFile(rootDir, encryptedFile, plainFile string) error
- func DecryptYAMLToMap(rootDir, filePath string) (map[string]any, error)
- func EncryptSecretsFile(rootDir string) error
- func EncryptYAMLFile(rootDir, plainFile, encryptedFile string) error
- func GenerateKey(rootDir string) (*age.X25519Identity, bool, error)
- func GetPublicKey(identity *age.X25519Identity) string
- func GetPublicKeyFromFile(rootDir string) (string, error)
- func LoadKey(rootDir string) (*age.X25519Identity, error)
- func RotateKeys(rootDir string) error
Constants ¶
const ( // EncryptedFileSuffix is the filename convention that marks a YAML // file as age-encrypted (secrets.encrypted.yaml, talosconfig.encrypted // is the legacy non-yaml exception). Consumers that decrypt encrypted // value files in-memory key off this suffix so the marker stays a // single source of truth shared with the init encrypt/decrypt flow. EncryptedFileSuffix = ".encrypted.yaml" )
Variables ¶
var ErrLeftoverRotationBackup = errors.New("leftover rotation backup from a previous run (either interrupted, or successful with a failed cleanup step); inspect and remove (or restore) before retrying")
ErrLeftoverRotationBackup is returned by RotateKeys when it detects `*.rotation-backup` files from a previous run still on disk. Callers can use errors.Is to recognise the unsafe-to-rotate state and offer targeted recovery guidance instead of a generic failure message.
var ErrNoEncryptedValues = errors.New("file is named *.encrypted.yaml but contains no ENC[AGE,...] encrypted values")
ErrNoEncryptedValues is returned by DecryptYAMLToMap when a file the caller declared encrypted (by its .encrypted.yaml name) parses cleanly but carries no ENC[AGE,...] envelope at all. Treating it as plaintext would silently feed an unencrypted (or corrupt) file into rendering; surfacing the mismatch lets the operator fix the file rather than ship a hole.
Functions ¶
func DecryptSecretsFile ¶
DecryptSecretsFile decrypts secrets.encrypted.yaml and saves to secrets.yaml.
func DecryptYAMLFile ¶
DecryptYAMLFile decrypts an encrypted YAML file's values and saves to plain file.
func DecryptYAMLToMap ¶ added in v0.32.0
DecryptYAMLToMap reads the age-encrypted YAML at filePath, decrypts its string-leaf values in memory with the project's talm.key (located under rootDir), and returns the plaintext map. Unlike DecryptYAMLFile it writes nothing to disk — it feeds encrypted user value files straight into chart rendering so the plaintext never lands in the working tree.
filePath is used verbatim (the caller has already resolved it); rootDir only locates talm.key. The file is validated to contain at least one envelope (ErrNoEncryptedValues otherwise) BEFORE the key is required, so a mis-named or corrupt file fails with a precise cause rather than a confusing "talm.key missing". Partially-encrypted files are fine: plaintext leaves pass through untouched.
func EncryptSecretsFile ¶
EncryptSecretsFile encrypts secrets.yaml values and saves to secrets.encrypted.yaml. Uses incremental encryption: only encrypts values that have changed.
func EncryptYAMLFile ¶
EncryptYAMLFile encrypts a YAML file's values (keeping keys unencrypted) and saves to encrypted file. Uses incremental encryption: only encrypts values that have changed.
func GenerateKey ¶
func GenerateKey(rootDir string) (*age.X25519Identity, bool, error)
GenerateKey generates a new age identity and saves it to talm.key file in age keygen format. Returns true if a new key was created (not loaded from existing file).
func GetPublicKey ¶
func GetPublicKey(identity *age.X25519Identity) string
GetPublicKey returns the public key from an identity.
func GetPublicKeyFromFile ¶
GetPublicKeyFromFile extracts the public key from talm.key file.
func LoadKey ¶
func LoadKey(rootDir string) (*age.X25519Identity, error)
LoadKey loads age identity from talm.key file. Supports both age keygen format (with comments) and plain format.
func RotateKeys ¶
RotateKeys rotates encryption keys in secrets.encrypted.yaml RotateKeys atomically rotates the age key encrypting secrets.encrypted.yaml. The old key is replaced with a freshly generated identity, and the secrets file is re-encrypted under the new key.
Atomicity strategy: every disk-mutating step uses os.Rename or secureperm.WriteFile (which is itself atomic temp+rename). The previous key+encrypted pair is renamed aside into `*.rotation-backup` files BEFORE the new files are committed; if any later step fails the originals are restored.
The function returns nil only after the new pair is committed AND both backup files have been removed. If either commit or cleanup fails the function returns a non-nil error, so the only state in which `*.rotation-backup` files outlive the call is when the call ITSELF returned an error. Operators who find leftover `*.rotation-backup` files in that state should:
- inspect both `talm.key` and the backup; if `talm.key` exists and is newer than the backup, rotation succeeded and only cleanup failed — remove the `*.rotation-backup` files;
- otherwise rotation was interrupted before commit — rename the backups back into place to recover the original state.
Both new files are written via secureperm.WriteFile so they end up at mode 0o600 (defense-in-depth — age encryption is the security layer, but world-readable secrets material on shared workstations invites mistakes).
Types ¶
This section is empty.