vault

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 1, 2026 License: MIT Imports: 24 Imported by: 0

Documentation

Overview

Package vault provides a secure encrypted vault with member-based access control, epoch-based key rotation, and rollback detection.

Index

Constants

View Source 
const (
	MaxIDLength        = 256
	MaxFieldNameLength = 128
	MaxFieldCount      = 64
	MaxFieldSize       = 1 << 20 // 1MB per field
	MaxHistoryVersions = 100
)

Validation constants.

View Source 
const (
	AttachmentPrefix     = "_att."
	AttachmentMetaPrefix = "_attmeta."
	MaxAttachmentSize    = 768 << 10 // 768 KiB raw (fits in MaxFieldSize after base64 expansion)
	MaxFilenameLength    = 119       // MaxFieldNameLength - len("_attmeta.")
)

Attachment field conventions. Attachments are stored as regular encrypted fields using dot-separated prefixes:

  • "_att.<filename>": raw binary content (base64-encoded at the API JSON boundary)
  • "_attmeta.<filename>": JSON metadata string with content_type and size
View Source 
const (
	DefaultMPCSigningSessionTTL = 15 * time.Minute
	MaxMPCSigningSessionTTL     = 30 * time.Minute
)
View Source 
const MPCAlgorithmExperimentalP256Schnorr = mpc.AlgorithmExperimentalP256Schnorr

Variables

View Source 
var (
	// ErrUnauthorized is a sentinel for generic unauthorized errors.
	ErrUnauthorized = UnauthorizedError{}
	// ErrStaleSession is a sentinel for stale session errors.
	ErrStaleSession = StaleSessionError{}
	// ErrSessionClosed is a sentinel for closed session errors.
	ErrSessionClosed = SessionClosedError{}
	// ErrRollbackDetected is a sentinel for rollback detected errors.
	ErrRollbackDetected = RollbackError{}
	// ErrValidationFailed is a sentinel for input validation errors.
	ErrValidationFailed = ValidationError{}
	// ErrVaultAlreadyExists is a sentinel for duplicate vault creation.
	ErrVaultAlreadyExists = VaultExistsError{}
)

Functions

func AttachmentFilename 

func AttachmentFilename(name string) string

AttachmentFilename extracts the filename from an attachment or attachment-metadata field name. Returns the empty string if the field is not an attachment field.

func ExportCredentials 

func ExportCredentials(creds *Credentials, passphrase string) ([]byte, error)

ExportCredentials encrypts credentials into a portable byte blob protected by the given passphrase. The output format is: 

version (1 byte) || salt (16 bytes) || AES-256-GCM ciphertext

The encryption key is derived from the passphrase using Argon2id.

SECURITY: The exported blob contains the MUK, private key, and all KDF parameters. Anyone who obtains the blob AND knows the passphrase can decrypt all vaults associated with these credentials. Treat exported blobs as highly sensitive — store them only in encrypted storage and delete them after import.

func ExportCredentialsBytes 

func ExportCredentialsBytes(creds *Credentials, passphrase []byte) ([]byte, error)

ExportCredentialsBytes is like ExportCredentials but accepts the passphrase as []byte, avoiding an intermediate heap-allocated string. Use this when the passphrase originates from a memguard LockedBuffer. The passphrase bytes must already be NFKD-normalized if they may contain Unicode; ASCII-only passphrases (e.g., hex-encoded session passphrases) need no normalization. The caller should wipe the passphrase slice after this function returns.

func IsAttachmentField 

func IsAttachmentField(name string) bool

IsAttachmentField reports whether the field name holds attachment binary data.

func IsAttachmentMetaField 

func IsAttachmentMetaField(name string) bool

IsAttachmentMetaField reports whether the field name holds attachment metadata JSON.

func SerializeCredentials 

func SerializeCredentials(creds *Credentials) ([]byte, error)

SerializeCredentials marshals credentials to a JSON byte slice for secure storage. The output contains sensitive key material (MUK, private key, secret key) and MUST be encrypted before persistence. The caller should wipe the returned bytes when done.

Types

type Argon2idParams 

type Argon2idParams = util.Argon2idParams

Argon2idParams configures Argon2id key derivation.

type BoltEpochCache 

type BoltEpochCache struct {
	// contains filtered or unexported fields
}

BoltEpochCache persists max-epoch-seen in a dedicated BBolt bucket. It uses a write-through cache: reads come from an in-memory map, writes persist to BBolt and update the in-memory map atomically.

func NewBoltEpochCache 

func NewBoltEpochCache(db *bbolt.DB) (*BoltEpochCache, error)

NewBoltEpochCache returns a persistent epoch cache backed by a BBolt database. This is the recommended EpochCache for production use to ensure rollback protection is maintained across application restarts.

func NewBoltEpochCacheFromFile 

func NewBoltEpochCacheFromFile(path string, options *bbolt.Options) (*BoltEpochCache, error)

NewBoltEpochCacheFromFile opens a BBolt database at the given path and returns a new BoltEpochCache.

func (*BoltEpochCache) GetMaxEpochSeen 

func (c *BoltEpochCache) GetMaxEpochSeen(vaultID string) uint64

func (*BoltEpochCache) SetMaxEpochSeen 

func (c *BoltEpochCache) SetMaxEpochSeen(vaultID string, epoch uint64) error

type CreateOption 

type CreateOption = VaultStateOption

CreateOption configures vault creation.

type CredentialProfile 

type CredentialProfile struct {
	KDFParams  Argon2idParams
	SaltPass   []byte
	SaltSecret []byte
}

CredentialProfile captures KDF settings used for deriving a member MUK.

type Credentials 

type Credentials struct {
	// contains filtered or unexported fields
}

Credentials holds the identity and key material for a vault member. The MUK is stored in a memguard Enclave (encrypted at rest in memory). Call Destroy() when done to wipe sensitive key material.

func CloneForMember 

func CloneForMember(src *Credentials) (*Credentials, error)

CloneForMember creates new credentials that share the same MUK and KDF profile as the source but with a new member ID and X25519 keypair. This is used in the invite flow where a vault owner's credentials are cloned for a new member who needs the same MUK (and thus record key) to open the vault.

func DeserializeCredentials 

func DeserializeCredentials(data []byte) (*Credentials, error)

DeserializeCredentials reconstructs credentials from a JSON byte slice previously created by SerializeCredentials.

func ImportCredentials 

func ImportCredentials(data []byte, passphrase string) (*Credentials, error)

ImportCredentials decrypts and reconstructs credentials from a blob previously created by ExportCredentials.

func ImportCredentialsBytes 

func ImportCredentialsBytes(data []byte, passphrase []byte) (*Credentials, error)

ImportCredentialsBytes is like ImportCredentials but accepts the passphrase as []byte. See ExportCredentialsBytes for normalization requirements. The caller should wipe the passphrase slice after this function returns.

func NewCredentials 

func NewCredentials(passphrase string, opts ...CredentialsOption) (*Credentials, error)

NewCredentials generates new credentials from a passphrase. It creates a new SecretKey, KeyPair, derives the MUK, and generates a member ID.

func OpenCredentials 

func OpenCredentials(secretKey crypto.SecretKey, passphrase string, memberID string, privateKey [32]byte, opts ...CredentialsOption) (*Credentials, error)

OpenCredentials recreates credentials from existing key material for reopening a vault.

func (*Credentials) DeriveKey 

func (c *Credentials) DeriveKey(label string) ([]byte, error)

DeriveKey derives a key from the credentials' MUK using the vault's record key derivation with the given label. This is useful for encrypting vault-specific credential blobs in the account record.

func (*Credentials) Destroy 

func (c *Credentials) Destroy()

Destroy wipes sensitive key material held by the credentials. After calling Destroy, the Credentials must not be reused.

func (*Credentials) MemberID 

func (c *Credentials) MemberID() string

MemberID returns the member's unique identifier.

func (*Credentials) PrivateKey 

func (c *Credentials) PrivateKey() [32]byte

PrivateKey returns the member's X25519 private key.

func (*Credentials) Profile 

func (c *Credentials) Profile() CredentialProfile

Profile returns a copy of the KDF profile used to derive this credential's MUK.

func (*Credentials) PublicKey 

func (c *Credentials) PublicKey() [32]byte

PublicKey returns the member's X25519 public key.

func (*Credentials) SecretKey 

func (c *Credentials) SecretKey() crypto.SecretKey

SecretKey returns the secret key used in MUK derivation.

type CredentialsOption 

type CredentialsOption func(*credentialsOptions)

CredentialsOption customizes credential creation/opening.

func WithCredentialKDFParams 

func WithCredentialKDFParams(params Argon2idParams) CredentialsOption

WithCredentialKDFParams overrides only the Argon2id parameters for new credential creation. Fresh random salts are still generated automatically. This is ignored when WithCredentialProfile is also set (full profile takes precedence).

func WithCredentialProfile 

func WithCredentialProfile(profile CredentialProfile) CredentialsOption

WithCredentialProfile sets the KDF profile used for credential derivation. Both salts must be non-empty.

type EpochCache 

type EpochCache interface {
	GetMaxEpochSeen(vaultID string) uint64
	SetMaxEpochSeen(vaultID string, epoch uint64) error
}

EpochCache tracks the maximum epoch seen per vault to detect rollback attacks.

type Fields 

type Fields map[string][]byte

Fields is a map of field name to plaintext value.

type HistoryEntry 

type HistoryEntry struct {
	Version   uint64
	UpdatedAt string
	UpdatedBy string
}

HistoryEntry is a summary of a single history version (returned by GetHistory).

type MPCApprovalMode 

type MPCApprovalMode string
const (
	MPCApprovalModeThreshold MPCApprovalMode = "threshold"
	MPCApprovalModeAll       MPCApprovalMode = "all"
)

type MPCDKGAttempt 

type MPCDKGAttempt struct {
	DKGSessionID string                           `json:"dkg_session_id"`
	VaultID      string                           `json:"vault_id"`
	KeyID        string                           `json:"key_id"`
	Algorithm    string                           `json:"algorithm"`
	Threshold    int                              `json:"threshold"`
	Status       MPCDKGStatus                     `json:"status"`
	Members      []MPCDKGMember                   `json:"members"`
	Commitments  []mpc.PublicCommitment           `json:"commitments,omitempty"`
	Fragments    map[string]mpc.EncryptedFragment `json:"fragments,omitempty"`
	LastError    string                           `json:"last_error,omitempty"`
	CreatedAt    time.Time                        `json:"created_at"`
	UpdatedAt    time.Time                        `json:"updated_at"`
}

type MPCDKGMember 

type MPCDKGMember struct {
	MemberID            string `json:"member_id"`
	PartyID             uint32 `json:"party_id"`
	URL                 string `json:"url"`
	EncryptionPublicKey string `json:"encryption_public_key"`
	ApprovalPublicKey   string `json:"approval_public_key"`
}

type MPCDKGStatus 

type MPCDKGStatus string
const (
	MPCDKGStatusStarted    MPCDKGStatus = "started"
	MPCDKGStatusFinalizing MPCDKGStatus = "finalizing"
	MPCDKGStatusCommitted  MPCDKGStatus = "committed"
	MPCDKGStatusAborted    MPCDKGStatus = "aborted"
	MPCDKGStatusFailed     MPCDKGStatus = "failed"
)

type MPCKey 

type MPCKey struct {
	KeyID           string                 `json:"key_id"`
	VaultID         string                 `json:"vault_id"`
	Algorithm       string                 `json:"algorithm"`
	Curve           string                 `json:"curve"`
	Provider        mpc.ProviderInfo       `json:"provider"`
	Threshold       int                    `json:"threshold"`
	Status          MPCKeyStatus           `json:"status"`
	CreatedAt       time.Time              `json:"created_at"`
	UpdatedAt       time.Time              `json:"updated_at"`
	ReplacesKeyID   string                 `json:"replaces_key_id,omitempty"`
	ReplacedByKeyID string                 `json:"replaced_by_key_id,omitempty"`
	PublicKey       mpc.PublicKey          `json:"public_key"`
	Participants    []MPCParticipant       `json:"participants"`
	Commitments     []mpc.PublicCommitment `json:"commitments"`
	Policy          MPCPolicy              `json:"policy"`
}

func (*MPCKey) PublicKeyPoint 

func (k *MPCKey) PublicKeyPoint() mpc.Point

type MPCKeyCreate 

type MPCKeyCreate struct {
	KeyID         string                           `json:"key_id,omitempty"`
	Algorithm     string                           `json:"algorithm,omitempty"`
	ImportMode    MPCKeyImportMode                 `json:"import_mode,omitempty"`
	DKGSessionID  string                           `json:"dkg_session_id,omitempty"`
	Threshold     int                              `json:"threshold"`
	MemberIDs     []string                         `json:"member_ids,omitempty"`
	Commitments   []mpc.PublicCommitment           `json:"commitments"`
	Fragments     map[string]mpc.EncryptedFragment `json:"fragments"`
	Policy        MPCPolicy                        `json:"policy,omitempty"`
	ReplacesKeyID string                           `json:"replaces_key_id,omitempty"`
}

type MPCKeyFragment 

type MPCKeyFragment struct {
	KeyID    string                `json:"key_id"`
	MemberID string                `json:"member_id"`
	PartyID  uint32                `json:"party_id"`
	Fragment mpc.EncryptedFragment `json:"fragment"`
}

type MPCKeyImportMode 

type MPCKeyImportMode string
const (
	MPCKeyImportModeOrchestrated MPCKeyImportMode = "orchestrated"
	MPCKeyImportModeRecovery     MPCKeyImportMode = "recovery"
)

type MPCKeyStatus 

type MPCKeyStatus string
const (
	MPCKeyStatusActive           MPCKeyStatus = "active"
	MPCKeyStatusDisabled         MPCKeyStatus = "disabled"
	MPCKeyStatusArchived         MPCKeyStatus = "archived"
	MPCKeyStatusRotationRequired MPCKeyStatus = "rotation_required"
	MPCKeyStatusReshareRequired  MPCKeyStatus = "reshare_required"
	MPCKeyStatusDestroyed        MPCKeyStatus = "destroyed"
)

type MPCMetricsSnapshot 

type MPCMetricsSnapshot struct {
	KeysByStatus            map[MPCKeyStatus]int            `json:"keys_by_status"`
	DKGAttemptsByStatus     map[MPCDKGStatus]int            `json:"dkg_attempts_by_status"`
	SigningSessionsByStatus map[MPCSigningSessionStatus]int `json:"signing_sessions_by_status"`
}

type MPCParticipant 

type MPCParticipant struct {
	MemberID              string          `json:"member_id"`
	PartyID               uint32          `json:"party_id"`
	Role                  MemberRole      `json:"role"`
	SignerURL             string          `json:"signer_url"`
	EncryptionPublicKey   string          `json:"encryption_public_key"`
	ApprovalPublicKey     string          `json:"approval_public_key"`
	SignerStatus          MPCSignerStatus `json:"signer_status"`
	PublicShareCommitment mpc.Point       `json:"public_share_commitment"`
}

type MPCPolicy 

type MPCPolicy struct {
	ApprovalMode        MPCApprovalMode `json:"approval_mode,omitempty"`
	AllowedRoles        []MemberRole    `json:"allowed_roles,omitempty"`
	AllowedDestinations []string        `json:"allowed_destinations,omitempty"`
	DeniedDestinations  []string        `json:"denied_destinations,omitempty"`
	MaxValue            string          `json:"max_value,omitempty"`
}

type MPCPolicyDecision 

type MPCPolicyDecision struct {
	Allowed bool     `json:"allowed"`
	Reasons []string `json:"reasons,omitempty"`
}

type MPCSignerRegistration 

type MPCSignerRegistration struct {
	URL                 string          `json:"url"`
	EncryptionPublicKey string          `json:"encryption_public_key"`
	ApprovalPublicKey   string          `json:"approval_public_key"`
	Status              MPCSignerStatus `json:"status,omitempty"`
}

type MPCSignerStatus 

type MPCSignerStatus string

MPCSignerStatus represents whether a member's external MPC signer can be used for threshold key generation and signing. 

const (
	MPCSignerStatusUnregistered MPCSignerStatus = "unregistered"
	MPCSignerStatusActive       MPCSignerStatus = "active"
	MPCSignerStatusDisabled     MPCSignerStatus = "disabled"
)

type MPCSigningSession 

type MPCSigningSession struct {
	SessionID    string                  `json:"session_id"`
	VaultID      string                  `json:"vault_id"`
	KeyID        string                  `json:"key_id"`
	Status       MPCSigningSessionStatus `json:"status"`
	Message      []byte                  `json:"message"`
	MessageHash  string                  `json:"message_hash"`
	MessageType  string                  `json:"message_type"`
	Chain        string                  `json:"chain,omitempty"`
	Network      string                  `json:"network,omitempty"`
	Transaction  MPCTransactionMetadata  `json:"transaction"`
	Policy       MPCPolicyDecision       `json:"policy"`
	Participants []uint32                `json:"participants"`
	Commitments  []mpc.Commitment        `json:"commitments,omitempty"`
	Approvals    []mpc.Approval          `json:"approvals,omitempty"`
	Signature    *mpc.Signature          `json:"signature,omitempty"`
	CreatedAt    time.Time               `json:"created_at"`
	ExpiresAt    time.Time               `json:"expires_at"`
}

type MPCSigningSessionCreate 

type MPCSigningSessionCreate struct {
	MessageBase64 string         `json:"-"`
	Message       []byte         `json:"message,omitempty"`
	Participants  []uint32       `json:"participants,omitempty"`
	TTL           time.Duration  `json:"ttl,omitempty"`
	MessageType   string         `json:"message_type,omitempty"`
	Chain         string         `json:"chain,omitempty"`
	Network       string         `json:"network,omitempty"`
	Transaction   map[string]any `json:"transaction_metadata,omitempty"`
}

type MPCSigningSessionStatus 

type MPCSigningSessionStatus string
const (
	MPCSigningSessionPending   MPCSigningSessionStatus = "pending"
	MPCSigningSessionCompleted MPCSigningSessionStatus = "completed"
	MPCSigningSessionExpired   MPCSigningSessionStatus = "expired"
	MPCSigningSessionFailed    MPCSigningSessionStatus = "failed"
)

type MPCTransactionMetadata 

type MPCTransactionMetadata struct {
	MessageType string         `json:"message_type"`
	Chain       string         `json:"chain,omitempty"`
	Network     string         `json:"network,omitempty"`
	Digest      string         `json:"digest"`
	Destination string         `json:"destination,omitempty"`
	Value       string         `json:"value,omitempty"`
	Fields      map[string]any `json:"fields,omitempty"`
}

type Member 

type Member struct {
	MemberID               string          `json:"member_id,omitzero"`
	PubKey                 [32]byte        `json:"pub_key,omitzero"`
	Role                   MemberRole      `json:"role,omitzero"`
	Status                 MemberStatus    `json:"status,omitzero"`
	AddedEpoch             uint64          `json:"added_epoch,omitzero"`
	RevokedEpoch           uint64          `json:"revoked_epoch,omitzero"`
	MPCPartyID             uint32          `json:"mpc_party_id,omitzero"`
	MPCSignerURL           string          `json:"mpc_signer_url,omitzero"`
	MPCEncryptionPublicKey string          `json:"mpc_encryption_public_key,omitzero"`
	MPCApprovalPublicKey   string          `json:"mpc_approval_public_key,omitzero"`
	MPCSignerStatus        MPCSignerStatus `json:"mpc_signer_status,omitzero"`
}

Member represents a vault member with their public key and access metadata.

type MemberRole 

type MemberRole string

MemberRole defines the access level of a vault member. 

const (
	RoleOwner  MemberRole = "owner"
	RoleWriter MemberRole = "writer"
	RoleReader MemberRole = "reader"
)

type MemberStatus 

type MemberStatus string

MemberStatus represents the current status of a vault member. 

const (
	StatusActive  MemberStatus = "active"
	StatusRevoked MemberStatus = "revoked"
)

type MemoryEpochCache 

type MemoryEpochCache struct {
	// contains filtered or unexported fields
}

MemoryEpochCache is an in-memory implementation suitable for tests.

func NewMemoryEpochCache 

func NewMemoryEpochCache() *MemoryEpochCache

NewMemoryEpochCache returns an in-memory epoch cache suitable for testing and single-process use.

func (*MemoryEpochCache) GetMaxEpochSeen 

func (c *MemoryEpochCache) GetMaxEpochSeen(vaultID string) uint64

func (*MemoryEpochCache) SetMaxEpochSeen 

func (c *MemoryEpochCache) SetMaxEpochSeen(vaultID string, epoch uint64) error

type RollbackError 

type RollbackError struct{}

RollbackError indicates a rollback attempt was detected.

func (RollbackError) Error 

func (e RollbackError) Error() string

type Session 

type Session struct {
	MemberID string
	// contains filtered or unexported fields
}

Session holds the encrypted key material for an active vault session. Keys are stored in memguard Enclaves (encrypted at rest in memory) and decrypted briefly into mlock'd LockedBuffers only during operations. Callers must call Close() when done (e.g. defer session.Close()).

func (*Session) AddMPCApproval 

func (s *Session) AddMPCApproval(ctx context.Context, sessionID string, approval mpc.Approval) (*MPCSigningSession, error)

func (*Session) AddMember 

func (s *Session) AddMember(ctx context.Context, memberID string, pubKey [32]byte, role MemberRole) error

AddMember adds a new member to the vault and rotates the epoch.

func (*Session) ChangeMemberRole 

func (s *Session) ChangeMemberRole(ctx context.Context, memberID string, newRole MemberRole) error

ChangeMemberRole changes the role of an existing active member. Only owners can change roles. Owners cannot change their own role. This does NOT trigger an epoch rotation — roles are enforced server-side at authorize() time and do not affect KEK wrapping.

func (*Session) Close 

func (s *Session) Close()

Close destroys the encrypted key material held by the session.

func (*Session) CompleteMPCSigningSession 

func (s *Session) CompleteMPCSigningSession(ctx context.Context, sessionID string, commitments []mpc.Commitment, signature *mpc.Signature) (*MPCSigningSession, error)

func (*Session) CreateMPCKey 

func (s *Session) CreateMPCKey(ctx context.Context, create MPCKeyCreate) (*MPCKey, error)

func (*Session) CreateMPCSigningSession 

func (s *Session) CreateMPCSigningSession(ctx context.Context, keyID string, message []byte, participants []uint32, ttl time.Duration) (*MPCSigningSession, error)

func (*Session) CreateMPCSigningSessionWithOptions 

func (s *Session) CreateMPCSigningSessionWithOptions(ctx context.Context, keyID string, create MPCSigningSessionCreate) (*MPCSigningSession, error)

func (*Session) Delete 

func (s *Session) Delete(ctx context.Context, itemID string) error

Delete removes an item from the vault.

func (*Session) Epoch 

func (s *Session) Epoch() uint64

Epoch returns the current epoch of the session.

func (*Session) ExportInviteGrant 

func (s *Session) ExportInviteGrant(ctx context.Context, passphrase string) ([]byte, error)

ExportInviteGrant encrypts the minimum vault material needed to accept an invite later. It intentionally does not include account credentials, MUKs, secret keys, or member private keys.

func (*Session) Get 

func (s *Session) Get(ctx context.Context, itemID string) (Fields, error)

Get retrieves and decrypts an item from the vault, returning all fields.

func (*Session) GetHistory 

func (s *Session) GetHistory(ctx context.Context, itemID string) ([]HistoryEntry, error)

GetHistory returns a list of history entries for the given item, sorted newest-first.

func (*Session) GetHistoryVersion 

func (s *Session) GetHistoryVersion(ctx context.Context, itemID string, version uint64) (Fields, error)

GetHistoryVersion decrypts and returns the fields from a specific history version.

func (*Session) GetMPCDKGAttempt 

func (s *Session) GetMPCDKGAttempt(ctx context.Context, dkgSessionID string) (*MPCDKGAttempt, error)

func (*Session) GetMPCKey 

func (s *Session) GetMPCKey(ctx context.Context, keyID string) (*MPCKey, error)

func (*Session) GetMPCKeyFragment 

func (s *Session) GetMPCKeyFragment(ctx context.Context, keyID, memberID string) (*MPCKeyFragment, error)

func (*Session) GetMPCSigningSession 

func (s *Session) GetMPCSigningSession(ctx context.Context, sessionID string) (*MPCSigningSession, error)

func (*Session) GetWithVersion 

func (s *Session) GetWithVersion(ctx context.Context, itemID string) (Fields, uint64, error)

GetWithVersion retrieves and decrypts an item, returning all fields and the current item version. This is identical to Get but also returns the ItemVersion from the stored item envelope.

func (*Session) HMACAudit 

func (s *Session) HMACAudit(data []byte) ([]byte, error)

HMACAudit computes HMAC-SHA256 of the given data using the vault's record key. This is used to produce tamper-evident signatures over audit exports.

func (*Session) List 

func (s *Session) List(ctx context.Context) ([]string, error)

List returns the IDs of all items stored in the vault.

func (*Session) ListMPCDKGAttempts 

func (s *Session) ListMPCDKGAttempts(ctx context.Context) ([]MPCDKGAttempt, error)

func (*Session) ListMPCKeys 

func (s *Session) ListMPCKeys(ctx context.Context) ([]MPCKey, error)

func (*Session) ListMPCSigningSessions 

func (s *Session) ListMPCSigningSessions(ctx context.Context) ([]MPCSigningSession, error)

func (*Session) ListMembers 

func (s *Session) ListMembers(ctx context.Context) ([]Member, error)

ListMembers returns all members of the vault (active and revoked). Requires at least read access.

func (*Session) MPCMetrics 

func (s *Session) MPCMetrics(ctx context.Context) (*MPCMetricsSnapshot, error)

func (*Session) MarkMPCKeyReplaced 

func (s *Session) MarkMPCKeyReplaced(ctx context.Context, keyID, replacementKeyID string) (*MPCKey, error)

func (*Session) OpenAuditRecord 

func (s *Session) OpenAuditRecord(env *storage.Envelope, aad []byte) ([]byte, error)

OpenAuditRecord decrypts an audit entry envelope using the vault's record key.

func (*Session) Put 

func (s *Session) Put(ctx context.Context, itemID string, fields Fields) error

Put encrypts and stores a new item in the vault. Each field is encrypted independently with the item's DEK.

func (*Session) RegisterMPCSigner 

func (s *Session) RegisterMPCSigner(ctx context.Context, memberID string, reg MPCSignerRegistration) error

func (*Session) RequireAdmin 

func (s *Session) RequireAdmin(ctx context.Context) error

RequireAdmin verifies the session member currently has owner/admin access.

func (*Session) RevokeMember 

func (s *Session) RevokeMember(ctx context.Context, memberID string) error

RevokeMember revokes a member's access to the vault and rotates the epoch.

func (*Session) SaveMPCDKGAttempt 

func (s *Session) SaveMPCDKGAttempt(ctx context.Context, attempt MPCDKGAttempt) (*MPCDKGAttempt, error)

func (*Session) SealAuditRecord 

func (s *Session) SealAuditRecord(plaintext, aad []byte) (*storage.Envelope, error)

SealAuditRecord encrypts an audit entry using the vault's record key. The caller provides AAD to bind the ciphertext to its context (e.g. vault ID and entry ID).

func (*Session) SetMPCKeyStatus 

func (s *Session) SetMPCKeyStatus(ctx context.Context, keyID string, status MPCKeyStatus) (*MPCKey, error)

func (*Session) Update 

func (s *Session) Update(ctx context.Context, itemID string, fields Fields) (uint64, error)

Update re-encrypts and stores an existing item, using CAS to detect conflicts. All fields are replaced atomically. The previous version is preserved as an ITEM_HISTORY record so it can be retrieved later via GetHistory/GetHistoryVersion. Returns the new item version and any error.

type SessionClosedError 

type SessionClosedError struct{}

SessionClosedError indicates the session has already been closed and its key material destroyed.

func (SessionClosedError) Error 

func (e SessionClosedError) Error() string

type StaleSessionError 

type StaleSessionError struct{}

StaleSessionError indicates the session epoch is behind the vault's current epoch.

func (StaleSessionError) Error 

func (e StaleSessionError) Error() string

type UnauthorizedError 

type UnauthorizedError struct {
	Message string
}

UnauthorizedError indicates the caller is not permitted for the attempted operation.

func (UnauthorizedError) Error 

func (e UnauthorizedError) Error() string

type ValidationError 

type ValidationError struct {
	Message string
}

ValidationError indicates a caller-provided parameter is invalid.

func (ValidationError) Error 

func (e ValidationError) Error() string

type Vault 

type Vault struct {
	// contains filtered or unexported fields
}

Vault represents a secure encrypted vault backed by a Repository and EpochCache.

func New 

func New(id string, repo storage.Repository, opts ...VaultOption) *Vault

New creates a Vault handle for the given vault ID and storage backend.

By default, it uses an in-memory epoch cache (MemoryEpochCache), which is suitable for testing or short-lived applications. For production use, it is strongly recommended to configure a persistent epoch cache, such as BoltEpochCache, using the WithEpochCache option. Failing to do so will result in the loss of rollback protection across application restarts.

func (*Vault) Create 

func (v *Vault) Create(ctx context.Context, creds *Credentials, opts ...CreateOption) (*Session, error)

Create initializes a new vault with the given credentials as the owner. It persists the vault state, owner membership, and KEK wrap, then returns an open Session for the owner.

func (*Vault) ID 

func (v *Vault) ID() string

ID returns the vault's identifier.

func (*Vault) Open 

func (v *Vault) Open(ctx context.Context, creds *Credentials) (*Session, error)

Open opens an existing vault session for the given member.

func (*Vault) OpenInviteGrant 

func (v *Vault) OpenInviteGrant(ctx context.Context, data []byte, passphrase string) (*Session, error)

OpenInviteGrant opens a temporary owner session from an invite grant so the pre-authorized member addition can be completed without credential cloning.

type VaultExistsError 

type VaultExistsError struct{}

VaultExistsError indicates a vault with the same ID already exists.

func (VaultExistsError) Error 

func (e VaultExistsError) Error() string

type VaultOption 

type VaultOption func(*Vault)

VaultOption configures a Vault.

func WithEpochCache 

func WithEpochCache(cache EpochCache) VaultOption

WithEpochCache sets the epoch cache for the vault.

type VaultStateOption 

type VaultStateOption func(*vaultState)

VaultStateOption is a functional option for vault state configuration.

func WithCreatedAt 

func WithCreatedAt(createdAt time.Time) VaultStateOption

WithCreatedAt sets the creation time for the vault state.

func WithEpoch 

func WithEpoch(epoch uint64) VaultStateOption

WithEpoch sets the epoch for the vault state.

func WithKDFParams 

func WithKDFParams(params Argon2idParams) VaultStateOption

WithKDFParams sets the KDF parameters for the vault state.

func WithVer 

func WithVer(ver int) VaultStateOption

WithVer sets the version for the vault state.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.