Documentation
¶
Index ¶
- Variables
- func DatabaseAAD(databaseUID string) []byte
- func Decrypt(ciphertext []byte, key []byte, aad []byte) ([]byte, error)
- func Encrypt(plaintext []byte, key []byte, aad []byte) ([]byte, error)
- func HashPassword(password string) (string, error)
- func VerifyPassword(encodedHash, password string) (bool, error)
Constants ¶
This section is empty.
Variables ¶
var ( ErrInvalidKeySize = errors.New("key must be 32 bytes") ErrCiphertextTooShort = errors.New("ciphertext too short") )
Encryption errors.
var ( ErrInvalidHashFormat = errors.New("invalid hash format") ErrUnsupportedHashAlgo = errors.New("unsupported hash algorithm") )
Hash errors.
Functions ¶
func DatabaseAAD ¶
DatabaseAAD returns the AAD for encrypting database credentials. This binds the ciphertext to a specific database UID, preventing credential transplant attacks where encrypted passwords are swapped between database rows.
func Decrypt ¶
Decrypt decrypts ciphertext using AES-256-GCM with the provided key. The ciphertext must include the nonce prefix. The aad must match the value used during encryption, or be nil for legacy data.
func Encrypt ¶
Encrypt encrypts plaintext using AES-256-GCM with the provided key. The ciphertext includes the nonce prefix. Optional aad (Additional Authenticated Data) binds the ciphertext to a context, preventing the ciphertext from being used in a different context.
func HashPassword ¶
HashPassword generates an Argon2id hash of the password.
func VerifyPassword ¶
VerifyPassword verifies a password against an Argon2id hash.
Types ¶
This section is empty.
Source Files