Documentation
¶
Overview ¶
Package secrets provides a per-workspace encrypted-at-rest secret vault for gemba-server. Secrets are AES-256-GCM-encrypted files under data/workspaces/<id>/secrets.enc, encrypted with a per-workspace key derived from a server-wide master key via HKDF-SHA256 with the workspace ID as info.
Secrets are injected into agent processes at dispatch time and are never written unencrypted to disk, never logged, and never returned from the API. The vault enforces this asymmetry by exposing Inject (returns a copy the caller must clear after use) rather than a Read that returns the raw value.
Master key: 32 random bytes (base64-encoded) supplied via the GEMBA_VAULT_KEY environment variable. A development-only generator is shipped as `secrets.GenerateMasterKey()` for tests.
Tracks gemba-remote bead gm-o9t8.3.3 (M3 — proprietary control plane).
Index ¶
Constants ¶
const MasterKeyEnv = "GEMBA_VAULT_KEY"
MasterKeyEnv is the environment variable that holds the base64-encoded 32-byte server master key. Required for any Vault.Open call.
const MasterKeyLen = 32
MasterKeyLen is the required raw length of the server master key.
Variables ¶
var ErrMasterKeyMalformed = errors.New("secrets: master key malformed (must be base64-encoded 32 bytes)")
ErrMasterKeyMalformed is returned when the master key is set but malformed.
var ErrMasterKeyMissing = errors.New("secrets: master key missing (set " + MasterKeyEnv + ")")
ErrMasterKeyMissing is returned when the master key cannot be resolved.
var ErrNotFound = errors.New("secrets: secret not found")
ErrNotFound is returned by Inject when the named secret does not exist.
var ErrTampered = errors.New("secrets: vault blob failed integrity check")
ErrTampered is returned when the on-disk blob fails AEAD verification.
Functions ¶
func EncodeMasterKey ¶
func EncodeMasterKey(k [MasterKeyLen]byte) string
EncodeMasterKey is the inverse of MasterKeyFromEnv's parsing step.
func GenerateMasterKey ¶
func GenerateMasterKey() ([MasterKeyLen]byte, error)
GenerateMasterKey returns a freshly generated 32-byte master key. Intended for tests and the `gemba secrets gen-master-key` CLI helper.
func MasterKeyFromEnv ¶
func MasterKeyFromEnv() ([MasterKeyLen]byte, error)
MasterKeyFromEnv parses the base64-encoded master key from $GEMBA_VAULT_KEY.
Types ¶
type Vault ¶
type Vault struct {
// contains filtered or unexported fields
}
Vault is a per-workspace secret store. All methods are safe for concurrent use. The zero value is unusable; obtain a Vault via Open.
func Open ¶
func Open(dataDir, workspaceID string, masterKey [MasterKeyLen]byte) (*Vault, error)
Open returns the Vault for a workspace, creating an empty encrypted blob if one does not yet exist. The dataDir argument is the gemba server's workspace root (e.g. /var/lib/gemba/workspaces); workspaceID is the unique workspace identifier. masterKey is the 32-byte server master key — obtain it via MasterKeyFromEnv.
func (*Vault) Delete ¶
Delete removes the named secret. Returns nil even if the name did not exist (idempotent).
func (*Vault) Inject ¶
Inject returns a copy of the named secret. The caller MUST clear the returned slice (e.g. via Zero) after use. This is the only API that reveals secret material and exists to be called from the dispatch boundary, not from API handlers.
Source Files