vault

package

v0.23.0 Latest Latest Go to latest Published: May 7, 2026 License: MIT Imports: 10 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/vaayne/anna

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func BackfillUserKeys(ctx context.Context, db BackfillDB, masterRecipient *age.X25519Recipient) (int, error)
func Decrypt(masterIdentity *age.X25519Identity, encryptedPrivateKey string, ...) (string, error)
func Encrypt(publicKeyStr string, plaintext string) (string, error)
func GenerateUserKeys(masterRecipient *age.X25519Recipient) (string, string, error)
func ParseMasterIdentity(identityStr string) (*age.X25519Identity, *age.X25519Recipient, error)
func ValidateName(name string) error
type BackfillDB
type DB
type EntryMeta
type Service
- func NewService(db DB, masterIdentityStr string) (*Service, error)

Constants ¶

View Source

const AnnaTokenName = "ANNA_TOKEN"

AnnaTokenName is the per-user service token exposed to sandbox sessions.

Variables ¶

This section is empty.

Functions ¶

func BackfillUserKeys ¶

func BackfillUserKeys(ctx context.Context, db BackfillDB, masterRecipient *age.X25519Recipient) (int, error)

BackfillUserKeys generates age keypairs for any users that don't have them yet. Called at startup when ANNA_VAULT_KEY is configured. Returns the number of users updated.

func Decrypt ¶

func Decrypt(masterIdentity *age.X25519Identity, encryptedPrivateKey string, ciphertext string) (string, error)

Decrypt decrypts ciphertext that was encrypted with a user's public key. First decrypts the user's private key using the master identity, then uses that private key to decrypt the ciphertext. masterIdentity: the server's master age identity encryptedPrivateKey: the user's age private key, encrypted with master ciphertext: the age-encrypted secret value

func Encrypt ¶

func Encrypt(publicKeyStr string, plaintext string) (string, error)

Encrypt encrypts plaintext using the given public key string. Returns armored ciphertext.

func GenerateUserKeys ¶

func GenerateUserKeys(masterRecipient *age.X25519Recipient) (string, string, error)

GenerateUserKeys creates a new X25519 keypair for a user. The private key is encrypted with masterRecipient before returning. Returns (publicKeyString, encryptedPrivateKey, error). publicKeyString is the age public key string (age1...). encryptedPrivateKey is the armored age-encrypted private key.

func ParseMasterIdentity ¶

func ParseMasterIdentity(identityStr string) (*age.X25519Identity, *age.X25519Recipient, error)

ParseMasterIdentity parses an age identity string (e.g. "AGE-SECRET-KEY-1...") and returns both the identity (for decryption) and its recipient (for encryption).

func ValidateName ¶

func ValidateName(name string) error

ValidateName checks that a vault entry name is a valid env var name and is not reserved.

Types ¶

type BackfillDB ¶

type BackfillDB interface {
	ListAuthUsers(ctx context.Context) ([]sqlc.AuthUser, error)
	UpdateUserAgeKeys(ctx context.Context, arg sqlc.UpdateUserAgeKeysParams) error
}

BackfillDB is the minimal database interface required by BackfillUserKeys.

type DB ¶

type DB interface {
	GetAuthUser(ctx context.Context, id int64) (sqlc.AuthUser, error)
	ListVaultEntriesByUser(ctx context.Context, userID int64) ([]sqlc.VaultEntry, error)
	UpsertVaultEntry(ctx context.Context, arg sqlc.UpsertVaultEntryParams) error
	DeleteVaultEntry(ctx context.Context, arg sqlc.DeleteVaultEntryParams) error
}

DB is the minimal database interface the vault Service requires.

type EntryMeta ¶

type EntryMeta struct {
	Name      string
	CreatedAt string
	UpdatedAt string
}

EntryMeta holds non-sensitive metadata for a vault entry.

type Service ¶

type Service struct {
	// contains filtered or unexported fields
}

Service provides vault operations: storing, retrieving, and decrypting per-user secrets using age encryption.

func NewService ¶

func NewService(db DB, masterIdentityStr string) (*Service, error)

NewService creates a vault Service. masterIdentityStr is the raw age secret key string (typically from the ANNA_VAULT_KEY environment variable).

func (*Service) Delete ¶

func (s *Service) Delete(ctx context.Context, userID int64, name string) error

Delete removes a vault entry by name for the given user.

func (*Service) List ¶

func (s *Service) List(ctx context.Context, userID int64) ([]EntryMeta, error)

List returns metadata for all vault entries owned by userID. Ciphertext is never included in the result.

func (*Service) LoadEnv ¶

func (s *Service) LoadEnv(ctx context.Context, userID int64) (map[string]string, error)

LoadEnv decrypts all vault entries for userID and returns them as a name→plaintext map. Intended for injecting secrets into sandbox environments.

func (*Service) MasterRecipient ¶

func (s *Service) MasterRecipient() *age.X25519Recipient

MasterRecipient returns the master public key recipient. It is used when generating new user key pairs.

func (*Service) Set ¶

func (s *Service) Set(ctx context.Context, userID int64, name string, plaintext string) error

Set validates name, encrypts plaintext with the user's public key, and upserts the vault entry. The user must already have age keys provisioned.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL