storage

package

v0.2.0 Latest Latest Go to latest Published: May 1, 2026 License: MIT Imports: 3 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/jmcleod/ironhand

Links

Open Source Insights

Documentation ¶

Overview ¶

Package storage provides the storage abstraction layer for encrypted vault records.

Index ¶

Variables
func OpenRecord(recordKey []byte, envelope *Envelope, aad []byte) ([]byte, error)
type BatchTx
type Envelope
- func SealRecord(recordKey, plaintext, aad []byte, version ...uint64) (*Envelope, error)
type Repository

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrCASFailed = errors.New("CAS version mismatch")

ErrCASFailed is returned when a compare-and-swap version check fails.

View Source

var ErrNotFound = errors.New("record not found")

ErrNotFound is returned when a record does not exist.

View Source

var ErrVaultNotFound = errors.New("vault not found")

ErrVaultNotFound is returned when a vault does not exist in storage.

Functions ¶

func OpenRecord ¶

func OpenRecord(recordKey []byte, envelope *Envelope, aad []byte) ([]byte, error)

OpenRecord decrypts an Envelope using the given record key and AAD.

Types ¶

type BatchTx ¶

type BatchTx interface {
	Put(recordType string, recordID string, envelope *Envelope) error
	PutCAS(recordType string, recordID string, expectedVersion uint64, envelope *Envelope) error
	Delete(recordType string, recordID string) error
}

BatchTx provides Put, PutCAS, and Delete within an atomic transaction. The vaultID is scoped to the batch, so methods don't require it.

type Envelope ¶

type Envelope struct {
	Ver        int    `json:"ver"`
	Scheme     string `json:"scheme"`
	Nonce      []byte `json:"nonce"`
	Ciphertext []byte `json:"ciphertext"`
	Version    uint64 `json:"version,omitempty"`
}

Envelope is a sealed record containing AES-256-GCM encrypted data.

func SealRecord ¶

func SealRecord(recordKey, plaintext, aad []byte, version ...uint64) (*Envelope, error)

SealRecord encrypts plaintext into an Envelope using the given record key and AAD.

type Repository ¶

type Repository interface {
	Put(vaultID string, recordType string, recordID string, envelope *Envelope) error
	Get(vaultID string, recordType string, recordID string) (*Envelope, error)
	List(vaultID string, recordType string) ([]string, error)
	ListVaults() ([]string, error)
	Delete(vaultID string, recordType string, recordID string) error
	DeleteVault(vaultID string) error
	PutCAS(vaultID string, recordType string, recordID string, expectedVersion uint64, envelope *Envelope) error
	Batch(vaultID string, fn func(tx BatchTx) error) error
}

Repository defines the interface for encrypted record storage.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
bbolt Package bbolt provides a BBolt-backed storage repository.	Package bbolt provides a BBolt-backed storage repository.
memory Package memory provides a thread-safe in-memory implementation of storage.Repository.	Package memory provides a thread-safe in-memory implementation of storage.Repository.
postgres Package postgres implements storage.Repository backed by PostgreSQL.	Package postgres implements storage.Repository backed by PostgreSQL.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL