Documentation
¶
Index ¶
- func DecryptSecretsFile(rootDir string) error
- func DecryptYAMLFile(rootDir, encryptedFile, plainFile string) error
- func EncryptSecretsFile(rootDir string) error
- func EncryptYAMLFile(rootDir, plainFile, encryptedFile string) error
- func GenerateKey(rootDir string) (*age.X25519Identity, bool, error)
- func GetPublicKey(identity *age.X25519Identity) string
- func GetPublicKeyFromFile(rootDir string) (string, error)
- func LoadKey(rootDir string) (*age.X25519Identity, error)
- func RotateKeys(rootDir string) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DecryptSecretsFile ¶
DecryptSecretsFile decrypts secrets.encrypted.yaml and saves to secrets.yaml
func DecryptYAMLFile ¶
DecryptYAMLFile decrypts an encrypted YAML file's values and saves to plain file
func EncryptSecretsFile ¶
EncryptSecretsFile encrypts secrets.yaml values and saves to secrets.encrypted.yaml Uses incremental encryption: only encrypts values that have changed
func EncryptYAMLFile ¶
EncryptYAMLFile encrypts a YAML file's values (keeping keys unencrypted) and saves to encrypted file Uses incremental encryption: only encrypts values that have changed
func GenerateKey ¶
func GenerateKey(rootDir string) (*age.X25519Identity, bool, error)
GenerateKey generates a new age identity and saves it to talm.key file in age keygen format Returns true if a new key was created (not loaded from existing file)
func GetPublicKey ¶
func GetPublicKey(identity *age.X25519Identity) string
GetPublicKey returns the public key from an identity
func GetPublicKeyFromFile ¶
GetPublicKeyFromFile extracts the public key from talm.key file
func LoadKey ¶
func LoadKey(rootDir string) (*age.X25519Identity, error)
LoadKey loads age identity from talm.key file Supports both age keygen format (with comments) and plain format
func RotateKeys ¶
RotateKeys rotates encryption keys in secrets.encrypted.yaml RotateKeys atomically rotates the age key encrypting secrets.encrypted.yaml. The old key is replaced with a freshly generated identity, and the secrets file is re-encrypted under the new key.
Atomicity strategy: every disk-mutating step uses os.Rename or secureperm.WriteFile (which is itself atomic temp+rename). The previous key+encrypted pair is renamed aside into `*.rotation-backup` files BEFORE the new files are committed; if any later step fails the originals are restored.
The function returns nil only after the new pair is committed AND both backup files have been removed. If either commit or cleanup fails the function returns a non-nil error, so the only state in which `*.rotation-backup` files outlive the call is when the call ITSELF returned an error. Operators who find leftover `*.rotation-backup` files in that state should:
- inspect both `talm.key` and the backup; if `talm.key` exists and is newer than the backup, rotation succeeded and only cleanup failed — remove the `*.rotation-backup` files;
- otherwise rotation was interrupted before commit — rename the backups back into place to recover the original state.
Both new files are written via secureperm.WriteFile so they end up at mode 0o600 (defense-in-depth — age encryption is the security layer, but world-readable secrets material on shared workstations invites mistakes).
Types ¶
This section is empty.
Source Files