config

package
v0.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 22, 2026 License: MIT Imports: 9 Imported by: 0

Documentation

Overview

Package config handles reading and writing cryptkey profile files.

Profiles live at ~/.config/cryptkey/<name>.toml and contain only encrypted shares, credential IDs, salts, and provider metadata — never raw secret material. An HMAC derived from the master key protects the config against tampering.

Index

Constants

View Source 
const DefaultProfile = "default"

DefaultProfile is the profile name used when the user omits one on the CLI.

View Source 
const ProfileVersion = 1

ProfileVersion is the current profile format version.

Variables

View Source 
var CustomDir string

CustomDir allows overriding the default config directory. When empty, Dir() falls back to ~/.config/cryptkey.

Functions

func Backup 

func Backup(name string) (backupPath string, restore func() error, err error)

Backup copies the existing profile file to <profile>.toml.bak. It overwrites any existing backup. Returns the backup path and a no-op restore function the caller can defer; calling restore renames the .bak back over the profile, useful when a partially-completed rekey needs to be rolled back.

func BackupPath 

func BackupPath(name string) (string, error)

BackupPath returns the path of the rolling backup file for a profile.

func Dir 

func Dir() (string, error)

Dir returns the cryptkey config directory. If CustomDir is set (via --config-dir or CRYPTKEY_CONFIG_DIR), it is used directly. Otherwise defaults to ~/.config/cryptkey.

func Exists 

func Exists(name string) (bool, error)

Exists checks whether a profile config file exists on disk.

func List 

func List() ([]string, error)

List returns the names of all profiles in the config directory.

func Path 

func Path(name string) (string, error)

Path returns the full path for a named profile.

func Save 

func Save(p *Profile) error

Save writes a profile to disk atomically, creating the config directory if needed. It writes to a temporary file, fsyncs, and renames to prevent corruption from interrupted writes (crash, power loss, SIGKILL).

Types

type Profile 

type Profile struct {
	Version    int              `toml:"version"`
	Name       string           `toml:"name"`
	Threshold  int              `toml:"threshold"`
	OutputSalt string           `toml:"output_salt"` // hex-encoded random salt for HKDF output key derivation
	Integrity  string           `toml:"integrity"`   // hex-encoded HMAC-SHA256 of provider data
	Providers  []ProviderConfig `toml:"providers"`
}

Profile is the top-level config for one cryptkey identity.

func Load 

func Load(name string) (*Profile, error)

Load reads and decodes a profile from disk.

func (*Profile) IntegrityDigest 

func (p *Profile) IntegrityDigest() []byte

IntegrityDigest computes a deterministic hash over all provider config data. This is the payload that gets HMAC'd with the master key.

func (*Profile) OutputSaltBytes 

func (p *Profile) OutputSaltBytes() ([]byte, error)

OutputSaltBytes returns the profile's output_salt as raw bytes.

func (*Profile) SetIntegrity 

func (p *Profile) SetIntegrity(masterKey []byte) error

SetIntegrity computes and stores the integrity HMAC using the master key.

func (*Profile) VerifyIntegrity 

func (p *Profile) VerifyIntegrity(masterKey []byte) (bool, error)

VerifyIntegrity checks the stored HMAC against the master key.

type ProviderConfig 

type ProviderConfig struct {
	Type           string            `toml:"type"`
	ID             string            `toml:"id"`
	EncryptedShare string            `toml:"encrypted_share"` // hex-encoded AES-GCM ciphertext
	Nonce          string            `toml:"nonce"`           // hex-encoded GCM nonce
	ShareSalt      string            `toml:"share_salt"`      // hex-encoded HKDF salt
	Params         map[string]string `toml:"params"`          // provider-specific metadata
}

ProviderConfig stores the encrypted share and metadata for one provider.

func (*ProviderConfig) EncryptedShareData 

func (pc *ProviderConfig) EncryptedShareData() (*crypto.EncryptedShare, error)

EncryptedShareData converts the hex-encoded fields back to an EncryptedShare.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.