tag

package
v1.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 13, 2026 License: BSD-3-Clause Imports: 11 Imported by: 0

Documentation

Overview

Package tag implements tagged P-256 or hybrid P-256 + ML-KEM-768 recipients, which can be used with identities stored on hardware keys, usually supported by dedicated plugins.

The tag reduces privacy, by allowing an observer to correlate files with a recipient (but not files amongst them without knowledge of the recipient), but this is also a desirable property for hardware keys that require user interaction for each decryption operation.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Recipient 

type Recipient struct {
	// contains filtered or unexported fields
}

Recipient is a tagged P-256 or hybrid P-256 + ML-KEM-768 recipient.

The latter recipient is safe against future cryptographically-relevant quantum computers, and can only be used along with other post-quantum recipients.

func NewClassicRecipient 

func NewClassicRecipient(publicKey []byte) (*Recipient, error)

NewClassicRecipient returns a new P-256 Recipient from a raw public key.

func NewHybridRecipient 

func NewHybridRecipient(publicKey []byte) (*Recipient, error)

NewHybridRecipient returns a new hybrid P-256 + ML-KEM-768 Recipient from raw concatenated public keys.

func ParseRecipient 

func ParseRecipient(s string) (*Recipient, error)

ParseRecipient returns a new Recipient from a Bech32 public key encoding with the "age1tag1" or "age1tagpq1" prefix.

func (*Recipient) Bytes 

func (r *Recipient) Bytes() []byte

Bytes returns the raw recipient encoding.

func (*Recipient) Hybrid 

func (r *Recipient) Hybrid() bool

Hybrid reports whether r is a hybrid P-256 + ML-KEM-768 recipient.

func (*Recipient) String 

func (r *Recipient) String() string

String returns the Bech32 public key encoding of r.

func (*Recipient) Tag 

func (r *Recipient) Tag(enc []byte) ([]byte, error)

Tag computes the 4-byte tag for the given ciphertext enc.

This is a low-level method exposed for use by plugins that implement identities compatible with tagged recipients.

func (*Recipient) Wrap 

func (r *Recipient) Wrap(fileKey []byte) ([]*age.Stanza, error)

func (*Recipient) WrapWithLabels 

func (r *Recipient) WrapWithLabels(fileKey []byte) ([]*age.Stanza, []string, error)

WrapWithLabels implements age.RecipientWithLabels, returning a single "postquantum" label if r is a hybrid P-256 + ML-KEM-768 recipient. This ensures a hybrid Recipient can't be mixed with other recipients that would defeat its post-quantum security.

To unsafely bypass this restriction, wrap Recipient in an age.Recipient type that doesn't expose WrapWithLabels.

Source Files

View all Source files

Directories

Path Synopsis
internal
age-plugin-tagtest command
Command age-plugin-tagtest is a that decrypts files encrypted to fixed age1tag1...
 Command age-plugin-tagtest is a that decrypts files encrypted to fixed age1tag1...
tagtest

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.