Documentation
¶
Overview ¶
Package crypto handles all cryptographic operations for AgentSecrets.
This mirrors the Python SecretsCLI's encryption.py but uses:
- AES-256-GCM instead of Fernet for symmetric encryption
- X25519 + NaCl SealedBox for asymmetric encryption (same as Python)
- Argon2id instead of PBKDF2-SHA256 for key derivation
Key hierarchy:
Password → (Argon2id) → Password-Derived Key → decrypts Private Key Private Key → (NaCl SealedBox) → decrypts Workspace Key Workspace Key → (AES-256-GCM) → encrypts/decrypts Secrets
Index ¶
- Constants
- func DecryptFromUser(privateKey, publicKey, encrypted []byte) ([]byte, error)
- func DecryptPrivateKey(encryptedB64, password, saltHex string) ([]byte, error)
- func DecryptSecret(encryptedB64 string, workspaceKey []byte) (string, error)
- func DeriveKeyFromPassword(password, saltHex string) ([]byte, error)
- func EncryptForUser(recipientPublicKey, data []byte) ([]byte, error)
- func EncryptPrivateKey(privateKey []byte, password string) (ciphertextB64, saltHex string, err error)
- func EncryptSecret(plaintext string, workspaceKey []byte) (string, error)
- func GenerateKeypair() (privateKey, publicKey []byte, err error)
- func GenerateWorkspaceKey() ([]byte, error)
- type UserKeys
Constants ¶
const KeySize = 32
const NonceSize = 12
const SaltSize = 32
Variables ¶
This section is empty.
Functions ¶
func DecryptFromUser ¶
DecryptFromUser decrypts data that was encrypted with our public key (NaCl SealedBox). Used for decrypting workspace keys received from team invites.
func DecryptPrivateKey ¶
DecryptPrivateKey decrypts a private key using the user's password. This is called during login to recover the private key from the server's encrypted copy.
func DecryptSecret ¶
DecryptSecret decrypts a base64-encoded ciphertext (with prepended nonce) using AES-256-GCM.
func DeriveKeyFromPassword ¶
DeriveKeyFromPassword derives a 32-byte encryption key from a password using Argon2id.
func EncryptForUser ¶
EncryptForUser encrypts data using the recipient's X25519 public key (NaCl SealedBox). Used for encrypting workspace keys when inviting team members.
func EncryptPrivateKey ¶
func EncryptPrivateKey(privateKey []byte, password string) (ciphertextB64, saltHex string, err error)
EncryptPrivateKey encrypts a private key with a password-derived key. Returns (base64 ciphertext, hex salt).
func EncryptSecret ¶
EncryptSecret encrypts a plaintext secret with a workspace key using AES-256-GCM. The nonce is prepended to the ciphertext and returned as a single base64-encoded string.
func GenerateKeypair ¶
GenerateKeypair creates a new X25519 keypair for asymmetric encryption. Returns (privateKey, publicKey) — both are 32 bytes.
func GenerateWorkspaceKey ¶
GenerateWorkspaceKey creates a random 32-byte key for AES-256-GCM encryption.
Types ¶
type UserKeys ¶
type UserKeys struct {
PrivateKey []byte // Raw 32-byte private key (stored in keyring)
PublicKey []byte // Raw 32-byte public key
EncryptedPrivateKey string // Base64-encoded AES-256-GCM ciphertext of private key
Salt string // Hex-encoded Argon2id salt
}
UserKeys holds the output of SetupUser — everything needed to register a new account.
func SetupUser ¶
SetupUser generates a new keypair and encrypts the private key with the user's password. This is called during account creation (init command).
Flow:
- Generate X25519 keypair
- Generate random salt
- Derive encryption key from password using Argon2id
- Encrypt private key with AES-256-GCM using derived key
Source Files