secretfile

package
v0.0.21 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 27, 2026 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	SecretFileName   = "secret"
	MetadataFileName = "metadata.json"
)

Variables

This section is empty.

Functions

func DirNameToID 

func DirNameToID(dirName string) (store.ID, error)

DirNameToID decodes a base64-encoded directory name back into a secret ID.

It returns an error if the directory name is not valid base64 or cannot be parsed into a store.ID.

func GetIdentity 

func GetIdentity(k KeyType, decryptionKey string) (age.Identity, error)

GetIdentity returns an age.Identity for the given key type and decryption key.

The identity implementation depends on the provided KeyType:

An error is returned if the key cannot be parsed or the key type is unsupported.

func GetRecipients 

func GetRecipients(k KeyType, encryptionKeys []string) ([]age.Recipient, error)

GetRecipients returns a slice of age.Recipient for the given key type and encryption keys.

The recipient implementation depends on the provided KeyType:

An error is returned if the key cannot be parsed or the key type is unsupported.

func IDToDirName 

func IDToDirName(id store.ID) string

IDToDirName encodes a secret ID as a base64 string suitable for use as a directory name. This avoids issues with unsupported characters (such as slashes) in filesystem paths.

func Persist 

func Persist(id store.ID, root *os.Root, metadata map[string]string, secrets []EncryptedSecret) error

Persist writes a secret and its metadata to a new directory on disk.

The directory name is derived from the secret ID, base64-encoded to avoid unsupported characters. If the directory already exists, it is removed before writing, ensuring that secrets encrypted with different keys cannot become inconsistent.

Inside the directory, the function creates:

  • metadata.json — a JSON-encoded metadata file (always public)
  • secret<KeyType> — one encrypted secret file per key type

If any step fails, the directory is removed to prevent partial or inconsistent state. An error is returned in such cases.

func RestoreMetadata 

func RestoreMetadata(secretDir *os.Root) (map[string]string, error)

RestoreMetadata reads and unmarshals the [metadataFileName] file

Types

type EncryptedSecret 

type EncryptedSecret struct {
	KeyType       KeyType
	EncryptedData []byte
}

func RestoreSecret 

func RestoreSecret(id store.ID, root *os.Root) ([]EncryptedSecret, map[string]string, error)

RestoreSecret reads the secret and metadata files from its scoped directory

type KeyType 

type KeyType string

KeyType identifies the type of encryption or decryption key associated with a secret (e.g., password, age, or SSH). 

const (
	PasswordKeyType KeyType = "pass"
	AgeKeyType      KeyType = "age"
	SSHKeyType      KeyType = "ssh"
)

type PromptFunc 

type PromptFunc func(context.Context) ([]byte, error)

PromptFunc is a callback invoked by the store when encrypting or decrypting a file. The function is expected to return the key material (as a byte slice) or an error if the key cannot be obtained.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.