crypt

package

v0.19.0 Latest Latest Go to latest Published: Jun 4, 2026 License: MIT Imports: 9 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/devituz/lagodev

Links

Open Source Insights

Documentation ¶

Overview ¶

Package crypt provides symmetric encryption and HMAC signing helpers modelled on Laravel's Crypt facade.

Two primitives are offered:

Encrypt / Decrypt — authenticated AES-256-GCM encryption. The ciphertext is base64-encoded and includes a random nonce, so the same plaintext under the same key produces different output every time.
Sign / Verify — keyed HMAC-SHA256 of arbitrary bytes (use when you only need integrity/authenticity, not confidentiality).

Keys must be exactly 32 bytes. Generate one with `lago key:generate` or by reading 32 random bytes and base64-encoding them.

Index ¶

Constants
Variables
func DecodeKey(s string) ([]byte, error)
func Decrypt(key []byte, encoded string) ([]byte, error)
func DecryptString(key []byte, encoded string) (string, error)
func Encrypt(key, plaintext []byte) (string, error)
func EncryptString(key []byte, s string) (string, error)
func GenerateKey() ([]byte, error)
func GenerateKeyString() (string, error)
func Sign(key, data []byte) string
func Verify(key, data []byte, signature string) error

Constants ¶

View Source

const KeySize = 32

KeySize is the required length of an encryption key (AES-256).

Variables ¶

View Source

var ErrCiphertextMalformed = errors.New("crypt: ciphertext malformed")

ErrCiphertextMalformed indicates the input could not be decoded or is shorter than the GCM nonce.

View Source

var ErrInvalidKey = errors.New("crypt: key must be 32 bytes")

ErrInvalidKey is returned when the key length is not KeySize.

View Source

var ErrSignatureMismatch = errors.New("crypt: signature mismatch")

ErrSignatureMismatch is returned by Verify when the signature does not match.

Functions ¶

func DecodeKey ¶

func DecodeKey(s string) ([]byte, error)

DecodeKey accepts either raw 32 bytes (as a string) or the "base64:..." form written by GenerateKeyString. Empty / wrong-size keys return ErrInvalidKey.

func Decrypt ¶

func Decrypt(key []byte, encoded string) ([]byte, error)

Decrypt reverses Encrypt. It verifies the GCM tag and returns the original plaintext. Any tampering causes ErrCiphertextMalformed.

func DecryptString ¶

func DecryptString(key []byte, encoded string) (string, error)

DecryptString is a convenience that returns the plaintext as string.

func Encrypt ¶

func Encrypt(key, plaintext []byte) (string, error)

Encrypt seals plaintext with AES-256-GCM and returns a base64 string of (nonce || ciphertext || tag). Each call uses a fresh random nonce, so the same plaintext+key yields different output every time.

func EncryptString ¶

func EncryptString(key []byte, s string) (string, error)

EncryptString is a convenience for string plaintext.

func GenerateKey ¶

func GenerateKey() ([]byte, error)

GenerateKey returns 32 random bytes suitable for use as an encryption key. Persist the output (e.g. base64-encoded) in APP_KEY.

func GenerateKeyString ¶

func GenerateKeyString() (string, error)

GenerateKeyString returns a base64 (std encoding) string of 32 random bytes — the format the `lago key:generate` command writes to .env.

func Sign ¶

func Sign(key, data []byte) string

Sign computes HMAC-SHA256 of data with the given key and returns the lowercase hex signature. Useful for stateless tokens like password-reset links or signed URLs.

func Verify ¶

func Verify(key, data []byte, signature string) error

Verify checks signature against the HMAC of data using key. Comparison is constant-time.

Types ¶

This section is empty.

Source Files ¶

View all Source files

crypt.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL