secure

package
v0.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 12, 2025 License: Apache-2.0 Imports: 14 Imported by: 11

Documentation

Index

Constants

View Source 
const (
	ErrInvalidKeyLength     = utils.Error("key length must be 32 bytes")
	ErrDataTooShort         = utils.Error("data too short")
	ErrNonceExhausted       = utils.Error("nonce counter exhausted, key rotation required")
	ErrAuthenticationFailed = utils.Error("authentication failed")
)

Variables

View Source 
var (
	ErrEncryption          = errors.New("encryption error")
	ErrDecryption          = errors.New("decryption error")
	ErrInvalidKey          = errors.New("invalid encryption key")
	ErrEmptyCredential     = errors.New("empty credential")
	ErrSecretsFileNotFound = errors.New("secrets file not found")
)

Functions

func DecodeKey 

func DecodeKey(encodedKey string) ([]byte, error)

DecodeKey decodes a base64 encoded key

func EncodeKey 

func EncodeKey(key []byte) string

EncodeKey encodes a key as a base64 string for storage

func GenerateKey 

func GenerateKey() ([]byte, error)

GenerateKey generates a random 32-byte key for AES-256

func RandomKey32 added in v0.5.0 

func RandomKey32() []byte

RandomKey32 generate a random key

Types

type AES256GCM added in v0.6.0 

type AES256GCM interface {
	Encrypt(data []byte) ([]byte, error)
	Decrypt(data []byte) ([]byte, error)
	Clear()
}

func NewAES256GCM added in v0.6.0 

func NewAES256GCM(key []byte) (AES256GCM, error)

NewAES256GCM creates a AES256GCM object

type Credential 

type Credential struct {
	// contains filtered or unexported fields
}

Credential stores sensitive information (like passwords) in encrypted form in memory

func CredentialFromConfig 

func CredentialFromConfig(cfg CredentialConfig, encryptionKey []byte, allowEmpty bool) (*Credential, error)

CredentialFromConfig attempts to parse credentials from a CredentialConfig struct if no valid credentials found, returns error; if environment var is used, it is read only once and then overwritten with an empty value

func CredentialFromEnv 

func CredentialFromEnv(envName string, encryptionKey []byte, allowEmpty bool) (*Credential, error)

CredentialFromEnv creates a Credential from an environment variable

func CredentialFromFile 

func CredentialFromFile(filename string, encryptionKey []byte, allowEmpty bool) (*Credential, error)

CredentialFromFile creates a Credential from a secrets file

func NewCredential 

func NewCredential(data []byte, encryptionKey []byte, allowEmpty bool) (*Credential, error)

NewCredential creates a new secure credential container The encryption key should be unique per application instance You can use env variables, hardware tokens, etc. as the source of the encryption key

func RandomCredential added in v0.5.0 

func RandomCredential(l int) (*Credential, error)

RandomCredential create a secure credential using random bytes

func (*Credential) Clear 

func (sc *Credential) Clear()

Clear zeroes out all sensitive data

func (*Credential) Get 

func (sc *Credential) Get() (string, error)

Get decrypts and returns the plaintext credential

func (*Credential) GetBytes added in v0.5.0 

func (sc *Credential) GetBytes() ([]byte, error)

GetBytes decrypts and returns the raw credential This should be called only when needed to minimize exposure of the sensitive data in memory

func (*Credential) IsEmpty 

func (sc *Credential) IsEmpty() bool

IsEmpty returns true if credentials is empty

func (*Credential) Update 

func (sc *Credential) Update(plaintext string) error

Update updates the credential with a new plaintext value

func (*Credential) UpdateBytes added in v0.5.0 

func (sc *Credential) UpdateBytes(data []byte) error

UpdateBytes updates the credential with a new value

type CredentialConfig 

type CredentialConfig interface {
	Fetch() (string, error)
	IsEmpty() bool
}

type DefaultCredentialConfig 

type DefaultCredentialConfig struct {
	Password       string `json:"password"`       // Password plaintext password; if set, is used instead of the rest
	PasswordEnvVar string `json:"passwordEnvVar"` // PasswordEnvVar name of env var with secret
	PasswordFile   string `json:"passwordFile"`   // PasswordFile name of secrets file, to be read; if none of the above set, this one is used
}

DefaultCredentialConfig misc options for credentials if different field names are required, just implement CredentialConfig interface

func (DefaultCredentialConfig) Fetch added in v0.5.0 

func (c DefaultCredentialConfig) Fetch() (string, error)

Fetch retrieve the contents of the credential

func (DefaultCredentialConfig) IsEmpty added in v0.5.0 

func (c DefaultCredentialConfig) IsEmpty() bool

IsEmpty returns true if credential source is empty

type EncryptionProvider added in v0.8.0 

type EncryptionProvider interface {
	Encrypt(data []byte) ([]byte, error)
	Decrypt(data []byte) ([]byte, error)
}

type KeyConfig added in v0.5.0 

type KeyConfig struct {
	Key       string `json:"key"` // Key
	KeyEnvVar string `json:"keyEnvVar"`
	KeyFile   string `json:"keyFile"`
}

func (KeyConfig) Fetch added in v0.5.0 

func (c KeyConfig) Fetch() (string, error)

Fetch retrieve the contents of the credential

func (KeyConfig) IsEmpty added in v0.5.0 

func (c KeyConfig) IsEmpty() bool

IsEmpty returns true if credential source is empty

type Secret added in v0.5.0 

type Secret interface {
	GetBytes() ([]byte, error)
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.