Documentation
¶
Index ¶
- Variables
- func DecryptSecretsFile(rootDir string) error
- func DecryptYAMLFile(rootDir, encryptedFile, plainFile string) error
- func EncryptSecretsFile(rootDir string) error
- func EncryptYAMLFile(rootDir, plainFile, encryptedFile string) error
- func GenerateKey(rootDir string) (*age.X25519Identity, bool, error)
- func GetPublicKey(identity *age.X25519Identity) string
- func GetPublicKeyFromFile(rootDir string) (string, error)
- func LoadKey(rootDir string) (*age.X25519Identity, error)
- func RotateKeys(rootDir string) error
Constants ¶
This section is empty.
Variables ¶
var ErrLeftoverRotationBackup = errors.New("leftover rotation backup from a previous run (either interrupted, or successful with a failed cleanup step); inspect and remove (or restore) before retrying")
ErrLeftoverRotationBackup is returned by RotateKeys when it detects `*.rotation-backup` files from a previous run still on disk. Callers can use errors.Is to recognise the unsafe-to-rotate state and offer targeted recovery guidance instead of a generic failure message.
Functions ¶
func DecryptSecretsFile ¶
DecryptSecretsFile decrypts secrets.encrypted.yaml and saves to secrets.yaml.
func DecryptYAMLFile ¶
DecryptYAMLFile decrypts an encrypted YAML file's values and saves to plain file.
func EncryptSecretsFile ¶
EncryptSecretsFile encrypts secrets.yaml values and saves to secrets.encrypted.yaml. Uses incremental encryption: only encrypts values that have changed.
func EncryptYAMLFile ¶
EncryptYAMLFile encrypts a YAML file's values (keeping keys unencrypted) and saves to encrypted file. Uses incremental encryption: only encrypts values that have changed.
func GenerateKey ¶
func GenerateKey(rootDir string) (*age.X25519Identity, bool, error)
GenerateKey generates a new age identity and saves it to talm.key file in age keygen format. Returns true if a new key was created (not loaded from existing file).
func GetPublicKey ¶
func GetPublicKey(identity *age.X25519Identity) string
GetPublicKey returns the public key from an identity.
func GetPublicKeyFromFile ¶
GetPublicKeyFromFile extracts the public key from talm.key file.
func LoadKey ¶
func LoadKey(rootDir string) (*age.X25519Identity, error)
LoadKey loads age identity from talm.key file. Supports both age keygen format (with comments) and plain format.
func RotateKeys ¶
RotateKeys rotates encryption keys in secrets.encrypted.yaml RotateKeys atomically rotates the age key encrypting secrets.encrypted.yaml. The old key is replaced with a freshly generated identity, and the secrets file is re-encrypted under the new key.
Atomicity strategy: every disk-mutating step uses os.Rename or secureperm.WriteFile (which is itself atomic temp+rename). The previous key+encrypted pair is renamed aside into `*.rotation-backup` files BEFORE the new files are committed; if any later step fails the originals are restored.
The function returns nil only after the new pair is committed AND both backup files have been removed. If either commit or cleanup fails the function returns a non-nil error, so the only state in which `*.rotation-backup` files outlive the call is when the call ITSELF returned an error. Operators who find leftover `*.rotation-backup` files in that state should:
- inspect both `talm.key` and the backup; if `talm.key` exists and is newer than the backup, rotation succeeded and only cleanup failed — remove the `*.rotation-backup` files;
- otherwise rotation was interrupted before commit — rename the backups back into place to recover the original state.
Both new files are written via secureperm.WriteFile so they end up at mode 0o600 (defense-in-depth — age encryption is the security layer, but world-readable secrets material on shared workstations invites mistakes).
Types ¶
This section is empty.
Source Files