keyring

package

v0.5.0 Latest Latest Go to latest Published: Mar 9, 2026 License: MIT Imports: 7 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/langoai/lango

Links

Documentation ¶

Rendered for

Index ¶

Constants
Variables
func DetectSecureProvider() (Provider, SecurityTier)
type BiometricProvider
- func NewBiometricProvider() (*BiometricProvider, error)
type KeyChecker
type Provider
type SecurityTier
- func (t SecurityTier) String() string
type TPMProvider
- func NewTPMProvider() (*TPMProvider, error)

Constants ¶

View Source

const KeyMasterPassphrase = "master-passphrase"

KeyMasterPassphrase is the keyring key for the master passphrase.

View Source

const Service = "lango"

Service is the service name used for all keyring operations.

Variables ¶

View Source

var ErrBiometricNotAvailable = errors.New("keyring: biometric authentication not available")

ErrBiometricNotAvailable is returned when biometric authentication hardware (e.g., Touch ID on macOS) is not available on the current system.

View Source

var ErrEntitlement = errors.New("keyring: missing code signing entitlement for biometric storage")

ErrEntitlement is returned when a keyring operation fails due to missing code signing entitlements (macOS errSecMissingEntitlement / -34018). With the login Keychain + BiometryCurrentSet approach, this error should no longer occur in normal usage. Retained as a safety net for edge cases (e.g., device passcode not set with kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly).

View Source

var ErrNotFound = errors.New("keyring: key not found")

ErrNotFound is returned when the requested key does not exist in the keyring.

View Source

var ErrTPMNotAvailable = errors.New("keyring: TPM device not available")

ErrTPMNotAvailable is returned when no TPM 2.0 device is accessible on the current system.

Functions ¶

func DetectSecureProvider ¶

func DetectSecureProvider() (Provider, SecurityTier)

DetectSecureProvider probes available security backends and returns the highest-tier provider. Returns (nil, TierNone) if no secure hardware backend is available — callers should fall back to keyfile or interactive prompt.

Types ¶

type BiometricProvider ¶

type BiometricProvider struct{}

BiometricProvider is a stub on platforms without macOS Touch ID support.

func NewBiometricProvider ¶

func NewBiometricProvider() (*BiometricProvider, error)

NewBiometricProvider always returns ErrBiometricNotAvailable on non-Darwin or non-CGO platforms.

func (*BiometricProvider) Delete ¶

func (*BiometricProvider) Delete(string, string) error

Delete is a no-op stub that always returns ErrBiometricNotAvailable.

func (*BiometricProvider) Get ¶

func (*BiometricProvider) Get(string, string) (string, error)

Get is a no-op stub that always returns ErrBiometricNotAvailable.

func (*BiometricProvider) HasKey ¶

func (*BiometricProvider) HasKey(string, string) bool

HasKey is a no-op stub that always returns false.

func (*BiometricProvider) Set ¶

func (*BiometricProvider) Set(string, string, string) error

Set is a no-op stub that always returns ErrBiometricNotAvailable.

type KeyChecker ¶

type KeyChecker interface {
	HasKey(service, key string) bool
}

KeyChecker is an optional interface that secure providers can implement to check key existence without triggering authentication (e.g., Touch ID). CLI status commands should prefer HasKey over Get to avoid unnecessary biometric prompts.

type Provider ¶

type Provider interface {
	// Get retrieves a secret for the given service and key.
	// Returns ErrNotFound if the key does not exist.
	Get(service, key string) (string, error)

	// Set stores a secret for the given service and key.
	Set(service, key, value string) error

	// Delete removes a secret for the given service and key.
	// Returns ErrNotFound if the key does not exist.
	Delete(service, key string) error
}

Provider abstracts OS keyring operations for testability.

type SecurityTier ¶

type SecurityTier int

SecurityTier represents the level of hardware-backed security available for keyring storage.

const (
	// TierNone indicates no secure hardware backend; keyfile or interactive prompt only.
	TierNone SecurityTier = iota
	// TierTPM indicates TPM 2.0 sealed storage is available (Linux).
	TierTPM
	// TierBiometric indicates biometric-protected keyring is available (macOS Touch ID).
	TierBiometric
)

func (SecurityTier) String ¶

func (t SecurityTier) String() string

String returns a human-readable label for the security tier.

type TPMProvider ¶

type TPMProvider struct {
	// contains filtered or unexported fields
}

TPMProvider stores secrets as TPM2-sealed blobs on disk. Only the same TPM chip can unseal the data, providing hardware-bound protection.

func NewTPMProvider ¶

func NewTPMProvider() (*TPMProvider, error)

NewTPMProvider creates a new TPMProvider. Returns ErrTPMNotAvailable if the TPM2 device is not accessible.

func (*TPMProvider) Delete ¶

func (p *TPMProvider) Delete(service, key string) error

Delete removes the sealed blob file.

func (*TPMProvider) Get ¶

func (p *TPMProvider) Get(service, key string) (string, error)

Get retrieves and unseals a secret from the TPM-sealed blob.

func (*TPMProvider) HasKey ¶

func (p *TPMProvider) HasKey(service, key string) bool

HasKey checks if a sealed blob file exists for the given key without unsealing.

func (*TPMProvider) Set ¶

func (p *TPMProvider) Set(service, key, value string) error

Set seals a secret with the TPM and writes the sealed blob to disk.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL