secrets

package

v0.0.5 Latest Latest Go to latest Published: Jan 24, 2026 License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/narvanalabs/control-plane

Links

Open Source Insights

Documentation ¶

Overview ¶

Package secrets provides SOPS-Nix compatible secrets management using age encryption. This implements the secrets management as per https://github.com/Mic92/sops-nix

Index ¶

Variables
func GenerateKeyPair() (publicKey, privateKey string, err error)
func GenerateRandomBytes(n int) ([]byte, error)
type Config
type KeyRotationResult
type SOPSService
- func NewSOPSService(cfg *Config, logger *slog.Logger) (*SOPSService, error)

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// ErrNoPublicKey is returned when no public key is configured for encryption.
	ErrNoPublicKey = errors.New("no public key configured for encryption")
	// ErrNoPrivateKey is returned when no private key is configured for decryption.
	ErrNoPrivateKey = errors.New("no private key configured for decryption")
	// ErrDecryptionFailed is returned when decryption fails.
	ErrDecryptionFailed = errors.New("decryption failed")
	// ErrEncryptionFailed is returned when encryption fails.
	ErrEncryptionFailed = errors.New("encryption failed")
	// ErrInvalidKey is returned when a key is invalid.
	ErrInvalidKey = errors.New("invalid key format")
)

Functions ¶

func GenerateKeyPair ¶

func GenerateKeyPair() (publicKey, privateKey string, err error)

GenerateKeyPair generates a new age key pair for use with SOPS. Returns the public key (for encryption) and private key (for decryption).

func GenerateRandomBytes ¶

func GenerateRandomBytes(n int) ([]byte, error)

GenerateRandomBytes generates cryptographically secure random bytes. Useful for generating secrets like database passwords.

Types ¶

type Config ¶

type Config struct {
	// AgePublicKey is the age public key for encryption (required for API server).
	// Format: age1... (Bech32 encoded)
	AgePublicKey string
	// AgePrivateKey is the age private key for decryption (required for node agents).
	// Format: AGE-SECRET-KEY-1... (Bech32 encoded)
	AgePrivateKey string
}

Config holds the configuration for the SOPS service.

type KeyRotationResult ¶

type KeyRotationResult struct {
	// NewPublicKey is the new public key to use for encryption.
	NewPublicKey string
	// NewPrivateKey is the new private key to use for decryption.
	NewPrivateKey string
	// RotatedSecrets is a map of app_id -> key -> new_encrypted_value.
	RotatedSecrets map[string]map[string][]byte
	// FailedSecrets is a map of app_id -> key -> error message for secrets that failed to rotate.
	FailedSecrets map[string]map[string]string
}

KeyRotationResult contains the result of a key rotation operation.

type SOPSService ¶

type SOPSService struct {
	// contains filtered or unexported fields
}

SOPSService provides SOPS-compatible encryption and decryption using age. It follows the sops-nix pattern where secrets are encrypted with age public keys and can only be decrypted by nodes with the corresponding private keys.

func NewSOPSService ¶

func NewSOPSService(cfg *Config, logger *slog.Logger) (*SOPSService, error)

NewSOPSService creates a new SOPS service with the given configuration. At least one of public key (for encryption) or private key (for decryption) must be provided.

func (*SOPSService) CanDecrypt ¶

func (s *SOPSService) CanDecrypt() bool

CanDecrypt returns true if the service is configured for decryption.

func (*SOPSService) CanEncrypt ¶

func (s *SOPSService) CanEncrypt() bool

CanEncrypt returns true if the service is configured for encryption.

func (*SOPSService) Decrypt ¶

func (s *SOPSService) Decrypt(ctx context.Context, ciphertext []byte) ([]byte, error)

Decrypt decrypts age-encrypted ciphertext using the configured private key. This is typically only available on node agents that have the private key.

func (*SOPSService) Encrypt ¶

func (s *SOPSService) Encrypt(ctx context.Context, plaintext []byte) ([]byte, error)

Encrypt encrypts plaintext using age encryption with the configured public key. The output is the age-encrypted ciphertext that can only be decrypted with the corresponding private key.

func (*SOPSService) GetPublicKey ¶

func (s *SOPSService) GetPublicKey() string

GetPublicKey returns the configured public key string, or empty if not configured.

func (*SOPSService) ReEncrypt ¶

func (s *SOPSService) ReEncrypt(ctx context.Context, ciphertext []byte, newPublicKey *age.X25519Recipient) ([]byte, error)

ReEncrypt decrypts ciphertext with the current private key and re-encrypts with a new public key. This is used during key rotation.

func (*SOPSService) RotateKeys ¶

func (s *SOPSService) RotateKeys(ctx context.Context, secrets map[string]map[string][]byte) (*KeyRotationResult, error)

RotateKeys generates a new key pair and re-encrypts all provided secrets. This function requires both encryption (public key) and decryption (private key) capabilities. The caller is responsible for persisting the new keys and updated secrets.

Parameters:

secrets: map of app_id -> key -> encrypted_value

Returns:

KeyRotationResult containing the new keys and re-encrypted secrets
error if key generation fails or if the service cannot decrypt

func (*SOPSService) UpdateKeys ¶

func (s *SOPSService) UpdateKeys(publicKey, privateKey string) error

UpdateKeys updates the service's keys to use a new key pair. This should be called after key rotation to update the service configuration.

Source Files ¶

View all Source files

sops.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL