seal

package
v0.2.22 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 24, 2026 License: MIT Imports: 6 Imported by: 1

Documentation

Overview

Package seal provides authenticated public-key encryption using NaCl box (Curve25519 + XSalsa20-Poly1305). It is format-agnostic: the plaintext is opaque bytes that can hold YAML secrets, a CA certificate, or any other sensitive data.

Sealed envelopes are serialised as YAML so they can be stored on disk, committed to git, or transferred over the wire.

Index

Constants

View Source 
const (
	// Version is the current sealed envelope format version.
	Version = "v1"

	// Algorithm is the encryption algorithm identifier.
	Algorithm = "nacl/box"
)

Variables

This section is empty.

Functions

func DeriveKeyID added in v0.2.22 

func DeriveKeyID(publicKey []byte) (string, error)

DeriveKeyID returns a short fingerprint (first 8 chars of the base64-encoded public key) suitable for identifying a keypair. The same key always produces the same ID.

func GenerateKeyPair 

func GenerateKeyPair() (publicKey, privateKey []byte, err error)

GenerateKeyPair generates a new Curve25519 keypair. Both keys are returned as base64-encoded bytes, matching the format expected by Seal and Unseal.

func KeyID 

func KeyID(envelope []byte) (string, error)

KeyID extracts the key_id from a YAML-encoded sealed envelope without decrypting it.

func Seal 

func Seal(publicKey []byte, values map[string][]byte) ([]byte, error)

Seal encrypts each value independently using a shared keypair. Each sealed value is base64(24-byte nonce || ciphertext). Key names are stored in cleartext for auditability and git diffs. The key_id is derived automatically from the recipient's public key.

func Unseal 

func Unseal(privateKey []byte, envelope []byte) (map[string][]byte, error)

Unseal decrypts a YAML-encoded Envelope, returning all values.

func UnsealKey 

func UnsealKey(privateKey []byte, envelope []byte, key string) ([]byte, error)

UnsealKey decrypts a single key from a YAML-encoded Envelope.

Types

type Envelope 

type Envelope struct {
	Version   string            `yaml:"version"`
	Algorithm string            `yaml:"algorithm"`
	KeyID     string            `yaml:"key_id,omitempty"`
	PublicKey string            `yaml:"public_key"`
	Secrets   map[string]string `yaml:"secrets"`
}

Envelope is the per-value sealed format. Key names are visible, values are each independently encrypted as base64(nonce || ciphertext).

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.