securebytes

package
v0.85.0-pre.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 15, 2026 License: BSD-3-Clause Imports: 4 Imported by: 0

README

kit/securebytes

github.com/vormadev/vorma/kit/securebytes

Encrypt/decrypt arbitrary gob-serializable values using keysets.

Use this package when you need encrypted binary payloads with key-rotation-compatible reads.

Import

import "github.com/vormadev/vorma/kit/securebytes"

Quick Start

keys := getKeyset() // *keyset.Keyset

sealed, err := securebytes.Serialize(keys, map[string]string{"uid": "u-1"})
if err != nil {
	return err
}

payload, err := securebytes.Parse[map[string]string](keys, sealed)
if err != nil {
	return err
}
_ = payload

Key Rotation Behavior

  • Serialize encrypts with the first key in the keyset.
  • Parse tries keys until one decrypts successfully.

Rotation rollout pattern:

  1. prepend new key (new first key)
  2. keep old keys in keyset during transition
  3. remove old keys after legacy ciphertext is no longer needed

Size and Format

  • MaxSize is the hard ciphertext limit (1 MiB).
  • plaintext format is: [version-byte][gob-payload].
  • Parse rejects empty/oversized values and unsupported version bytes.

Gob Constraints

  • Values must be gob-encodable.
  • Unsupported kinds (for example funcs/channels) fail serialization.
  • For interface payloads, register concrete types as required by encoding/gob.

Security Notes

  • Encryption uses XChaCha20-Poly1305.
  • Package design assumes key-index timing disclosure is acceptable for the use case (as documented in source comments).

API Reference

  • const MaxSize
  • type SecureBytes []byte
  • type RawValue any
  • func Serialize(ks *keyset.Keyset, rv RawValue) (SecureBytes, error)
  • func Parse[T any](ks *keyset.Keyset, sb SecureBytes) (T, error)

Documentation

Overview

This package assumes that the caller's use case is not sensitive to timing attacks. In other words, it assumes that, even if an attacker can figure out the current index of the secret key originally used to encrypt the data, that information would not be materially useful to them. This is a reasonable assumption for most use cases.

Index

Constants

View Source 
const MaxSize = 1 << 20 // 1MB in bytes

Variables

This section is empty.

Functions

func Parse 

func Parse[T any](ks *keyset.Keyset, sb SecureBytes) (T, error)

Types

type RawValue 

type RawValue any // Any pre-serialization value

type SecureBytes 

type SecureBytes []byte // Encrypted value

func Serialize 

func Serialize(ks *keyset.Keyset, rv RawValue) (SecureBytes, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.