fieldcrypt

package
v0.3.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 28, 2026 License: MIT Imports: 12 Imported by: 0

Documentation

Index

Constants

View Source 
const Prefix = "epf:"

Prefix is the marker for encrypted protected field values.

Variables

This section is empty.

Functions

func Decrypt 

func Decrypt(ciphertext string, keyFn func(version int) ([]byte, error)) (string, error)

Decrypt decrypts an epf:-prefixed value. It also handles legacy "enc::" prefix values. keyFn is called with the version number extracted from the prefix. For legacy enc:: values, keyFn(0) is called to obtain the raw master key, which is then SHA256-hashed to match the original FieldEncryptor behavior.

func Encrypt 

func Encrypt(plaintext string, key []byte, version int) (string, error)

Encrypt encrypts plaintext with AES-256-GCM, returning "epf:v{version}:{base64(nonce+ciphertext)}".

func HashValue 

func HashValue(value string) string

HashValue returns SHA256 hex of the value.

func IsEncrypted 

func IsEncrypted(value string) bool

IsEncrypted checks if a value has the epf: prefix or legacy enc:: prefix.

func MaskEmail 

func MaskEmail(email string) string

MaskEmail masks an email: "j***@e***.com".

func MaskPhone 

func MaskPhone(phone string) string

MaskPhone masks all but last 4 digits: "***-***-1234".

func MaskValue 

func MaskValue(value string, behavior LogBehavior, pattern string) string

MaskValue applies masking based on LogBehavior and optional pattern.

func RedactValue 

func RedactValue() string

RedactValue returns "[REDACTED]".

func ScanAndDecrypt 

func ScanAndDecrypt(data map[string]any, registry *Registry, keyFn func(version int) ([]byte, error), maxDepth int) error

ScanAndDecrypt recursively scans a map, decrypting epf:-prefixed (and enc::-prefixed) protected fields.

func ScanAndEncrypt 

func ScanAndEncrypt(data map[string]any, registry *Registry, keyFn func() ([]byte, int, error), maxDepth int) error

ScanAndEncrypt recursively scans a map, encrypting protected fields that have Encryption=true. maxDepth limits recursion depth.

func ScanAndMask 

func ScanAndMask(data map[string]any, registry *Registry, maxDepth int) map[string]any

ScanAndMask returns a deep copy of data with protected fields masked (for logging). Does NOT modify the original map.

Types

type FieldClassification 

type FieldClassification string

FieldClassification defines the sensitivity level. 

const (
	ClassPII FieldClassification = "pii"
	ClassPHI FieldClassification = "phi"
)

type KeyRing 

type KeyRing interface {
	CurrentKey(ctx context.Context, tenantID string) (key []byte, version int, err error)
	KeyByVersion(ctx context.Context, tenantID string, version int) ([]byte, error)
	Rotate(ctx context.Context, tenantID string) (key []byte, version int, err error)
}

KeyRing manages versioned, tenant-isolated encryption keys.

type LocalKeyRing 

type LocalKeyRing struct {
	// contains filtered or unexported fields
}

LocalKeyRing stores keys in memory, keyed by tenant. Keys are derived from a master key using HKDF.

func NewLocalKeyRing 

func NewLocalKeyRing(masterKey []byte) *LocalKeyRing

NewLocalKeyRing creates a new LocalKeyRing from a master key.

func (*LocalKeyRing) CurrentKey 

func (k *LocalKeyRing) CurrentKey(_ context.Context, tenantID string) ([]byte, int, error)

CurrentKey returns the current key version for a tenant. If no key exists yet, generates version 1.

func (*LocalKeyRing) KeyByVersion 

func (k *LocalKeyRing) KeyByVersion(_ context.Context, tenantID string, version int) ([]byte, error)

KeyByVersion returns the key for a specific tenant+version.

func (*LocalKeyRing) Rotate 

func (k *LocalKeyRing) Rotate(_ context.Context, tenantID string) ([]byte, int, error)

Rotate increments the version and derives a new key for the tenant.

type LogBehavior 

type LogBehavior string

LogBehavior defines how a field appears in logs. 

const (
	LogMask   LogBehavior = "mask"
	LogRedact LogBehavior = "redact"
	LogHash   LogBehavior = "hash"
	LogAllow  LogBehavior = "allow"
)

type ProtectedField 

type ProtectedField struct {
	Name           string              `yaml:"name"`
	Classification FieldClassification `yaml:"classification"`
	Encryption     bool                `yaml:"encryption"`
	LogBehavior    LogBehavior         `yaml:"log_behavior"`
	MaskPattern    string              `yaml:"mask_pattern"`
}

ProtectedField defines a field that requires encryption/masking.

type Registry 

type Registry struct {
	// contains filtered or unexported fields
}

Registry holds the set of protected fields for lookup.

func NewRegistry 

func NewRegistry(fields []ProtectedField) *Registry

NewRegistry creates a Registry from a slice of ProtectedField definitions.

func (*Registry) GetField 

func (r *Registry) GetField(fieldName string) (*ProtectedField, bool)

GetField returns the ProtectedField definition for the given name.

func (*Registry) IsProtected 

func (r *Registry) IsProtected(fieldName string) bool

IsProtected returns true if the given field name is in the registry.

func (*Registry) Len 

func (r *Registry) Len() int

Len returns the number of registered protected fields.

func (*Registry) ProtectedFields 

func (r *Registry) ProtectedFields() []ProtectedField

ProtectedFields returns all registered protected fields.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.