secrets

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 2, 2026 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Overview

Package secrets provides encrypted secret storage using pluggable backends.

Index

Constants

View Source 
const (
	// AESKeySize is the size of AES keys we use (256-bit)
	AESKeySize = 32

	// NonceSize is the size of the nonce/IV for AES-GCM
	NonceSize = 12
)

Variables

This section is empty.

Functions

func CalculateChecksum 

func CalculateChecksum(data []byte) string

CalculateChecksum calculates SHA256 checksum of data

func DecryptData 

func DecryptData(encryptedData, key []byte) ([]byte, error)

DecryptData decrypts data using AES-GCM with the given encryption key

func DecryptDataWithAlgorithm 

func DecryptDataWithAlgorithm(encryptedData, key []byte, algorithm string) ([]byte, error)

DecryptDataWithAlgorithm decrypts data with specific algorithm info

func DecryptDataWithMultipleKeys 

func DecryptDataWithMultipleKeys(encryptedData []byte, keys [][]byte) ([]byte, error)

DecryptDataWithMultipleKeys tries to decrypt data with multiple encryption keys

func EncryptData 

func EncryptData(plaintext, key []byte) ([]byte, error)

EncryptData encrypts data using AES-GCM with the given encryption key

func EncryptDataWithAlgorithm 

func EncryptDataWithAlgorithm(plaintext, key []byte, algorithm string) ([]byte, error)

EncryptDataWithAlgorithm encrypts data with specific algorithm info

func GenerateKeyID 

func GenerateKeyID() (string, error)

GenerateKeyID generates a unique identifier for a key

func LoadEncryptionKeys 

func LoadEncryptionKeys(ctx context.Context, keys ...KeyConfig) ([][]byte, error)

LoadEncryptionKeys loads all encryption keys from the given configs. Note that the first key will be the current encryption key, and any additional keys will be old keys used only for decryption.

Types

type AWSSecretsManager 

type AWSSecretsManager struct {
	// contains filtered or unexported fields
}

AWSSecretsManager implements Store using AWS Secrets Manager

func NewAWSSecretsManagerStore 

func NewAWSSecretsManagerStore(client *secretsmanager.Client, prefix string) *AWSSecretsManager

NewAWSSecretsManagerStore creates a new AWS Secrets Manager store

func (*AWSSecretsManager) Delete 

func (a *AWSSecretsManager) Delete(ctx context.Context, name string) error

Delete removes a secret from AWS Secrets Manager

func (*AWSSecretsManager) Get 

func (a *AWSSecretsManager) Get(ctx context.Context, name string) ([]byte, error)

Get retrieves a secret from AWS Secrets Manager

func (*AWSSecretsManager) Set 

func (a *AWSSecretsManager) Set(ctx context.Context, name string, data []byte) error

Set stores a secret in AWS Secrets Manager

type Cached 

type Cached struct {
	// contains filtered or unexported fields
}

Cached wraps a Store with in-memory caching and stale-while-revalidate strategy

func (*Cached) Delete 

func (c *Cached) Delete(ctx context.Context, name string) error

Delete delegates to underlying store and removes from cache

func (*Cached) Get 

func (c *Cached) Get(ctx context.Context, name string) ([]byte, error)

Get retrieves a secret with caching logic

func (*Cached) Set 

func (c *Cached) Set(ctx context.Context, name string, data []byte) error

Set delegates to underlying store (no caching needed for writes)

type GCPSecretManager 

type GCPSecretManager struct {
	// contains filtered or unexported fields
}

GCPSecretManager implements secrets Store using GCP Secret Manager

func NewGCPSecretManagerStore 

func NewGCPSecretManagerStore(client *secretmanager.Client, project, prefix string) *GCPSecretManager

NewGCPSecretManagerStore creates a new GCP Secret Manager store

func (*GCPSecretManager) Delete 

func (g *GCPSecretManager) Delete(ctx context.Context, name string) error

Delete removes a secret from GCP Secret Manager

func (*GCPSecretManager) Get 

func (g *GCPSecretManager) Get(ctx context.Context, name string) ([]byte, error)

Get retrieves a secret from GCP Secret Manager

func (*GCPSecretManager) List 

func (g *GCPSecretManager) List(ctx context.Context) ([]string, error)

List returns all secret names with the given prefix

func (*GCPSecretManager) Set 

func (g *GCPSecretManager) Set(ctx context.Context, name string, data []byte) error

Set stores a secret in GCP Secret Manager

type KeyConfig 

type KeyConfig struct {
	Provider string
	Options  map[string]interface{}
	Source   string
}

KeyConfig defines configuration for loading a single encryption key

type Memory 

type Memory struct {
	// contains filtered or unexported fields
}

Memory implements Store using in-memory storage

func NewMemoryStore 

func NewMemoryStore() *Memory

NewMemoryStore creates a new in-memory store

func (*Memory) Delete 

func (m *Memory) Delete(ctx context.Context, name string) error

Delete removes a secret from memory

func (*Memory) Get 

func (m *Memory) Get(ctx context.Context, name string) ([]byte, error)

Get retrieves a secret from memory

func (*Memory) Set 

func (m *Memory) Set(ctx context.Context, name string, data []byte) error

Set stores a secret in memory

type ObjectStorageStore 

type ObjectStorageStore struct {
	// contains filtered or unexported fields
}

ObjectStorageStore implements Store using object storage (S3, GCS, etc.) with optional encryption

func NewObjectStorageStore 

func NewObjectStorageStore(storage storage.Storage, prefix string, encryptionKeys [][]byte) *ObjectStorageStore

NewObjectStorageStore creates a new object storage-based store with optional encryption keys

func (*ObjectStorageStore) Delete 

func (s *ObjectStorageStore) Delete(ctx context.Context, name string) error

Delete removes a secret from object storage

func (*ObjectStorageStore) Get 

func (s *ObjectStorageStore) Get(ctx context.Context, name string) ([]byte, error)

Get retrieves a secret from object storage

func (*ObjectStorageStore) Set 

func (s *ObjectStorageStore) Set(ctx context.Context, name string, data []byte) error

Set stores a secret in object storage

type Store 

type Store interface {
	Get(ctx context.Context, name string) ([]byte, error)
	Set(ctx context.Context, name string, data []byte) error
	Delete(ctx context.Context, name string) error
}

Store provides simple secret storage operations

func NewCachedStore 

func NewCachedStore(underlying Store, ttl time.Duration) Store

NewCachedStore creates a new cached store wrapper

func NewStore 

func NewStore(ctx context.Context, opts StoreOptions) (Store, error)

NewStore creates a new secrets Store based on options. Creates cloud clients internally based on Provider. Loads encryption keys only for s3 provider.

type StoreOptions 

type StoreOptions struct {
	Provider       string
	Prefix         string
	CacheTTL       time.Duration
	EncryptionKeys []KeyConfig // Only used for object-storage provider
	GCPProject     string      // Required for gcp-secret-manager provider
	Storage        storage.Storage
}

StoreOptions contains configuration for creating a secrets Store

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.