vault

package
v0.1.0-beta.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 11, 2026 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Decrypt 

func Decrypt(key, nonce, ciphertext []byte) ([]byte, error)

Decrypt decrypts ciphertext with XChaCha20-Poly1305.

func DeriveKey 

func DeriveKey(passphrase string, salt []byte) []byte

DeriveKey derives a 256-bit key from a passphrase using Argon2id.

func Encrypt 

func Encrypt(key, plaintext []byte) (nonce, ciphertext []byte, err error)

Encrypt encrypts plaintext with XChaCha20-Poly1305 using the given key.

func GenerateDEK 

func GenerateDEK() ([]byte, error)

GenerateDEK returns 32 random bytes for use as a data encryption key.

func GenerateSalt 

func GenerateSalt() ([]byte, error)

GenerateSalt returns 16 random bytes for use as a KDF salt.

func UnlockVault 

func UnlockVault(ev *EncryptedVault, passphrase string) ([]byte, error)

UnlockVault decrypts an encrypted vault, returning the plaintext secrets JSON.

Types

type Blob 

type Blob struct {
	Nonce      string `json:"nonce"`      // base64
	Ciphertext string `json:"ciphertext"` // base64
}

Blob holds a nonce + ciphertext pair for XChaCha20-Poly1305.

type EncryptedVault 

type EncryptedVault struct {
	Version   int       `json:"version"`
	Encrypted bool      `json:"encrypted"`
	KDF       KDFParams `json:"kdf"`
	DEK       Blob      `json:"dek"`
	Data      Blob      `json:"data"`
}

EncryptedVault is the JSON schema for secrets.enc (envelope-encrypted vault).

func ChangePassphrase 

func ChangePassphrase(ev *EncryptedVault, oldPass, newPass string) (*EncryptedVault, error)

ChangePassphrase re-encrypts the DEK with a new passphrase. The data ciphertext is unchanged.

func LockVault 

func LockVault(secretsJSON []byte, passphrase string) (*EncryptedVault, error)

LockVault encrypts secrets JSON with envelope encryption.

type KDFParams 

type KDFParams struct {
	Algorithm string `json:"algorithm"`
	Salt      string `json:"salt"`   // base64
	Time      uint32 `json:"time"`   // iterations
	Memory    uint32 `json:"memory"` // KiB
	Threads   uint8  `json:"threads"`
}

KDFParams holds the Argon2id key derivation parameters.

type Secret 

type Secret struct {
	Key   string `json:"key"`
	Value string `json:"value"`
	Set   string `json:"set,omitempty"`
}

Secret represents a stored secret.

type Set 

type Set struct {
	Name        string `json:"name"`
	Description string `json:"description,omitempty"`
}

Set represents a named group of secrets.

type SetSummary 

type SetSummary struct {
	Name        string `json:"name"`
	Description string `json:"description,omitempty"`
	Count       int    `json:"count"`
}

SetSummary is a set with its member count.

type Store 

type Store struct {
	// contains filtered or unexported fields
}

Store manages secrets in a JSON file with mutex-protected access.

func NewStore 

func NewStore(baseDir string) *Store

NewStore creates a vault store rooted at the given directory.

func (*Store) ChangePassphrase 

func (s *Store) ChangePassphrase(oldPass, newPass string) error

ChangePassphrase re-encrypts the DEK with a new passphrase.

func (*Store) CreateSet 

func (s *Store) CreateSet(name string) error

CreateSet creates an empty variable set.

func (*Store) Delete 

func (s *Store) Delete(key string) error

Delete removes a secret by key.

func (*Store) DeleteSet 

func (s *Store) DeleteSet(name string) error

DeleteSet removes a set. Secrets in the set are unassigned but not deleted.

func (*Store) Export 

func (s *Store) Export() map[string]string

Export returns all secrets as a key-value map.

func (*Store) Get 

func (s *Store) Get(key string) (string, bool)

Get returns a secret value and whether it exists.

func (*Store) GetSetSecrets 

func (s *Store) GetSetSecrets(setName string) []Secret

GetSetSecrets returns all secrets belonging to a set, sorted by key.

func (*Store) Has 

func (s *Store) Has(key string) bool

Has checks existence without returning the value.

func (*Store) Import 

func (s *Store) Import(secrets map[string]string) (int, error)

Import bulk-imports secrets. Returns the count of keys imported.

func (*Store) IsEncrypted 

func (s *Store) IsEncrypted() bool

IsEncrypted returns true when the vault has an encrypted backing file.

func (*Store) IsLocked 

func (s *Store) IsLocked() bool

IsLocked returns true when the vault is encrypted and not yet unlocked.

func (*Store) Keys 

func (s *Store) Keys() []string

Keys returns sorted key names only.

func (*Store) List 

func (s *Store) List() []Secret

List returns all secrets sorted by key.

func (*Store) ListSets 

func (s *Store) ListSets() []SetSummary

ListSets returns all sets with their member counts.

func (*Store) Load 

func (s *Store) Load() error

Load reads secrets into memory. Checks for secrets.enc first (encrypted), then falls back to secrets.json (plaintext). If the file doesn't exist, starts empty.

func (*Store) Lock 

func (s *Store) Lock(passphrase string) error

Lock encrypts the vault with a passphrase.

func (*Store) Set 

func (s *Store) Set(key, value string) error

Set adds or updates a secret. Creates the vault directory on first write.

func (*Store) SetSecretSet 

func (s *Store) SetSecretSet(key, setName string) error

SetSecretSet assigns a secret to a set (or unassigns if setName is empty).

func (*Store) SetWithSet 

func (s *Store) SetWithSet(key, value, setName string) error

SetWithSet adds or updates a secret and assigns it to a set.

func (*Store) Unlock 

func (s *Store) Unlock(passphrase string) error

Unlock decrypts an encrypted vault into memory.

func (*Store) Values 

func (s *Store) Values() []string

Values returns all secret values (for redaction registration).

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.