encrypt

package

v0.4.1 Latest Latest Go to latest Published: Feb 18, 2026 License: Apache-2.0 Imports: 6 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/mutablelogic/go-llm

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func Decrypt[T interface{ ... }](passphrase string, blob []byte) (T, error)
func Encrypt[T interface{ ... }](passphrase string, plaintext T) ([]byte, error)
func GenerateSalt() ([]byte, error)
func ValidatePassphrase(passphrase string) error
type Key
- func DeriveKey(passphrase string, salt []byte) Key
- func (k Key) Decrypt(ciphertext []byte) ([]byte, error)
- func (k Key) Encrypt(plaintext []byte) ([]byte, error)

Constants ¶

View Source

const (

	// SaltSize is the length of a random salt in bytes.
	SaltSize = 16

	// MinPassphraseLen is the minimum acceptable passphrase length.
	MinPassphraseLen = 8
)

Variables ¶

This section is empty.

Functions ¶

func Decrypt ¶

func Decrypt[T interface{ []byte | string }](passphrase string, blob []byte) (T, error)

Decrypt splits the salt from the blob, re-derives the key, and decrypts ciphertext produced by Encrypt. The type parameter controls the return type.

Example usage:

plaintext, err := encrypt.Decrypt[[]byte]("my-passphrase", blob)
text, err := encrypt.Decrypt[string]("my-passphrase", blob)

func Encrypt ¶

func Encrypt[T interface{ []byte | string }](passphrase string, plaintext T) ([]byte, error)

Encrypt generates a fresh salt, derives a key from the passphrase, and encrypts plaintext using AES-256-GCM. The returned blob is:

salt (16 bytes) || nonce (12 bytes) || ciphertext + tag

Example usage:

blob, err := encrypt.Encrypt("my-passphrase", []byte("secret"))
blob, err := encrypt.Encrypt("my-passphrase", "secret")

func GenerateSalt ¶

func GenerateSalt() ([]byte, error)

GenerateSalt returns a cryptographically random 16-byte salt.

func ValidatePassphrase ¶

func ValidatePassphrase(passphrase string) error

ValidatePassphrase checks that the passphrase meets minimum security requirements: non-empty, not whitespace-only, and at least MinPassphraseLen characters long.

Types ¶

type Key ¶

type Key []byte

Key is a 256-bit encryption key derived from a passphrase.

func DeriveKey ¶

func DeriveKey(passphrase string, salt []byte) Key

DeriveKey derives a 256-bit encryption key from a passphrase and salt using Argon2id.

func (Key) Decrypt ¶

func (k Key) Decrypt(ciphertext []byte) ([]byte, error)

Decrypt decrypts ciphertext (nonce || ciphertext + tag) using AES-256-GCM.

func (Key) Encrypt ¶

func (k Key) Encrypt(plaintext []byte) ([]byte, error)

Encrypt encrypts plaintext using AES-256-GCM with a random nonce. Returns nonce || ciphertext + tag.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL