secret

package

v0.1.0 Latest Latest Go to latest Published: Apr 10, 2026 License: MIT Imports: 17 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/rpuneet/bc

Links

Open Source Insights

Documentation ¶

Overview ¶

Package secret provides encrypted secrets management for bc workspaces.

Index ¶

Constants
func Decrypt(key []byte, encoded string) ([]byte, error)
func DeriveKey(passphrase string, salt []byte) []byte
func Encrypt(key, plaintext []byte) (string, error)
func GenerateSalt() ([]byte, error)
func Passphrase() (string, error)
type PostgresStore
- func NewPostgresStore(db *sql.DB) *PostgresStore
type SecretMeta
type Store
- func NewStore(workspacePath, passphrase string) (*Store, error)
- func OpenStore(workspacePath, passphrase string) (*Store, error)

Constants ¶

View Source

const PassphraseEnvVar = "BC_SECRET_PASSPHRASE" //nolint:gosec // not a credential, env var name constant

PassphraseEnvVar is the environment variable for the master passphrase.

Variables ¶

This section is empty.

Functions ¶

func Decrypt ¶

func Decrypt(key []byte, encoded string) ([]byte, error)

Decrypt decrypts base64-encoded ciphertext (with prepended nonce) using AES-256-GCM.

func DeriveKey ¶

func DeriveKey(passphrase string, salt []byte) []byte

DeriveKey derives an AES-256 key from a passphrase and salt using PBKDF2-SHA256.

func Encrypt ¶

func Encrypt(key, plaintext []byte) (string, error)

Encrypt encrypts plaintext using AES-256-GCM with the given key. Returns base64-encoded ciphertext with the nonce prepended.

func GenerateSalt ¶

func GenerateSalt() ([]byte, error)

GenerateSalt returns a cryptographically random salt.

func Passphrase ¶

func Passphrase() (string, error)

Passphrase returns the passphrase for secret encryption. Priority: BC_SECRET_PASSPHRASE env var > auto-generated key file at ~/.bc/secret-key. The key file is created with 0600 permissions on first use.

Types ¶

type PostgresStore ¶

type PostgresStore struct {
	// contains filtered or unexported fields
}

PostgresStore provides Postgres-backed encrypted secrets storage.

func NewPostgresStore ¶

func NewPostgresStore(db *sql.DB) *PostgresStore

NewPostgresStore creates a PostgresStore from an existing *sql.DB connection.

func (*PostgresStore) Close ¶

func (p *PostgresStore) Close() error

Close closes the database connection. Close is a no-op — the shared DB is owned by the caller.

func (*PostgresStore) Delete ¶

func (p *PostgresStore) Delete(name string) error

Delete removes a secret.

func (*PostgresStore) GetMeta ¶

func (p *PostgresStore) GetMeta(name string) (*SecretMeta, error)

GetMeta returns metadata for a secret (no value).

func (*PostgresStore) GetValue ¶

func (p *PostgresStore) GetValue(name string) (string, error)

GetValue retrieves and decrypts a secret value.

func (*PostgresStore) InitKey ¶

func (p *PostgresStore) InitKey(passphrase string) error

InitKey derives or loads the encryption key from the passphrase.

func (*PostgresStore) InitSchema ¶

func (p *PostgresStore) InitSchema() error

InitSchema creates the secrets tables in Postgres if they don't exist.

func (*PostgresStore) List ¶

func (p *PostgresStore) List() ([]*SecretMeta, error)

List returns metadata for all secrets (no values).

func (*PostgresStore) ResolveEnv ¶

func (p *PostgresStore) ResolveEnv(env map[string]string) map[string]string

ResolveEnv resolves ${secret:NAME} references in env vars.

func (*PostgresStore) Set ¶

func (p *PostgresStore) Set(name, value, description string) error

Set creates or updates a secret with an encrypted value.

type SecretMeta ¶

type SecretMeta struct {
	CreatedAt   time.Time `json:"created_at"`
	UpdatedAt   time.Time `json:"updated_at"`
	Name        string    `json:"name"`
	Description string    `json:"description,omitempty"`
}

SecretMeta holds secret metadata (never includes the value).

type Store ¶

type Store struct {
	// contains filtered or unexported fields
}

Store provides encrypted secrets storage backed by SQLite or Postgres. Values are encrypted with AES-256-GCM; the encryption key is derived from a master passphrase via PBKDF2.

func NewStore ¶

func NewStore(workspacePath, passphrase string) (*Store, error)

NewStore creates a new secrets store for the given workspace path. The passphrase is used to derive the encryption key via PBKDF2.

func OpenStore ¶

func OpenStore(workspacePath, passphrase string) (*Store, error)

OpenStore opens the secrets store using the shared workspace database. Uses the shared driver type to determine the backend (timescale or sqlite). The secret store keeps encryption isolation — its own salt and key derivation.

func (*Store) Close ¶

func (s *Store) Close() error

Close closes the database connection.

func (*Store) Delete ¶

func (s *Store) Delete(name string) error

Delete removes a secret.

func (*Store) GetMeta ¶

func (s *Store) GetMeta(name string) (*SecretMeta, error)

GetMeta returns metadata for a secret (no value).

func (*Store) GetValue ¶

func (s *Store) GetValue(name string) (string, error)

GetValue retrieves and decrypts a secret value.

func (*Store) List ¶

func (s *Store) List() ([]*SecretMeta, error)

List returns metadata for all secrets (no values).

func (*Store) ResolveEnv ¶

func (s *Store) ResolveEnv(env map[string]string) map[string]string

ResolveEnv resolves ${secret:NAME} references in env vars, returning a new map with secret values substituted. Unresolvable refs are left as-is.

func (*Store) Set ¶

func (s *Store) Set(name, value, description string) error

Set creates or updates a secret with an encrypted value.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL