Documentation
¶
Overview ¶
Package encrypt provides reversible AES-256-GCM encryption and decryption utilities for securing sensitive data like API keys and credentials.
Index ¶
- Variables
- func CompareHash(hash string, password string) (bool, error)
- func Decrypt(ciphertext string) (string, error)
- func Encrypt(plaintext string) (string, error)
- func Hash(password string) (string, error)
- func HashSHA256(value string) string
- func Init(key string, _logger schemas.Logger)
- func IsEnabled() bool
- func Key() []byte
Constants ¶
This section is empty.
Variables ¶
var ErrEncryptionKeyNotInitialized = errors.New("encryption key is not initialized")
Functions ¶
func CompareHash ¶ added in v1.1.20
CompareHash compares a hash and a password
func Decrypt ¶
Decrypt decrypts a base64-encoded ciphertext using AES-256-GCM and returns the plaintext
func Encrypt ¶
Encrypt encrypts a plaintext string using AES-256-GCM and returns a base64-encoded ciphertext
func HashSHA256 ¶ added in v1.2.22
HashSHA256 returns a deterministic hex-encoded SHA-256 hash of the input. Used for hash-based lookups on encrypted columns (e.g., virtual key value, session token).
func Init ¶
Init initializes the encryption key using Argon2id KDF to derive a secure 32-byte key from the provided passphrase. This ensures strong entropy regardless of passphrase length. The function accepts any passphrase but warns if it's too short (< 16 bytes).
func IsEnabled ¶ added in v1.2.22
func IsEnabled() bool
IsEnabled returns true if the encryption key has been initialized
func Key ¶ added in v1.3.9
func Key() []byte
Key returns a copy of the derived 32-byte encryption key, or nil if the encryption key has not been initialized. The returned slice is a copy so callers may not mutate the underlying key. Used by subsystems that need to derive their own domain-separated subkeys (e.g. WebSocket ticket signing).
Types ¶
This section is empty.
Source Files