posixage

package
v0.0.21 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 27, 2026 License: Apache-2.0 Imports: 13 Imported by: 0

README

Store posixage

The posixage store is a POSIX compliant encrypted file store. It uses age to encrypt/decrypt its files and has support for password, ssh and age keys.

Quickstart

import "github.com/docker/secrets-engine/store/posixage"

func main() {
    root, err := os.OpenRoot("my/secrets/path")
    if err != nil {
        panic(err)
    }

    s, err := posixage.New(root,
			func() *mocks.MockCredential {
				return &mocks.MockCredential{}
			},
			WithEncryptionCallbackFunc[EncryptionPassword](func(_ context.Context) ([]byte, error) {
				return []byte(masterKey), nil
			}),
			WithDecryptionCallbackFunc[DecryptionPassword](func(_ context.Context) ([]byte, error) {
				return []byte(masterKey), nil
			}),
		)
}

The store allows you to register multiple encryption and decryption callback functions. Each callback gives your application control over how to retrieve the required data — for example, from environment variables, a configuration file, or via an interactive user prompt.

Features
  • Support for multiple encryption functions
  • Support for multiple decryption functions

Callbacks are invoked in the order they are registered. For decryption, the store tries each callback in sequence, and the first one that successfully provides a valid key will return the decrypted secret.

Here's an example of accepting multiple passwords for encryption:

import "github.com/docker/secrets-engine/store/posixage"

func main() {
    root, err := os.OpenRoot("my/secrets/path")
    if err != nil {
        panic(err)
    }

    s, err := posixage.New(root,
			func() *mocks.MockCredential {
				return &mocks.MockCredential{}
			},
            WithEncryptionCallbackFunc[EncryptionPassword](func(_ context.Context) ([]byte, error) {
				return []byte(masterKey), nil
			}),
			WithEncryptionCallbackFunc[EncryptionPassword](func(_ context.Context) ([]byte, error) {
				return []byte(bobPassword), nil
			}),
            WithEncryptionCallbackFunc[EncryptionAgeX25519](func(_ context.Context) ([]byte, error) {
				return []byte(identity.Recipient().String()), nil
			}),
			WithDecryptionCallbackFunc[DecryptionPassword](func(_ context.Context) ([]byte, error) {
				return []byte(masterKey), nil
			}),
		)
}
Secrets

Any secret format is supported as long as it conforms to the store.Secret interface.

Documentation

Overview

Package posixage provides a file-based secret store secured with age(https://github.com/FiloSottile/age) encryption.

Secrets are stored in directories named after a base64-encoded secret ID. Each secret can be encrypted with one or more encryption keys. When retrieving a secret, one or more corresponding decryption keys may be provided to unlock it.

This allows flexible key management, supporting scenarios such as multiple recipients, key rotation, or shared access.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func New 

func New[T store.Secret](rootDir *os.Root, f store.Factory[T], opts ...Options) (store.Store, error)

New returns a store.Store that manages encrypted files on disk.

Each secret is stored in its own directory, named with a base64-encoded secret ID. The directory contains:

  • one encrypted secret file for each configured encryption key type
  • a metadata file, which is public and always formatted as valid JSON

Types

type DecryptionAgeX25519 

type DecryptionAgeX25519 secretfile.PromptFunc

DecryptionAgeX25519 is the age private key

type DecryptionPassword 

type DecryptionPassword secretfile.PromptFunc

type DecryptionSSH 

type DecryptionSSH secretfile.PromptFunc

DecryptionSSH is the ssh private key

type EncryptionAgeX25519 

type EncryptionAgeX25519 secretfile.PromptFunc

type EncryptionPassword 

type EncryptionPassword secretfile.PromptFunc

type EncryptionSSH 

type EncryptionSSH secretfile.PromptFunc

EncryptionSSH supports ssh-rsa and ssh-ed25519

type Options 

type Options func(c *config) error

func WithDecryptionCallbackFunc 

func WithDecryptionCallbackFunc[K decryptionFuncs](callback K) Options

WithDecryptionCallbackFunc registers a callback used to prompt the user for input when decrypting credentials.

Multiple callbacks may be registered. They are invoked in the same order they were added.

func WithEncryptionCallbackFunc 

func WithEncryptionCallbackFunc[K encryptionFuncs](callback K) Options

WithEncryptionCallbackFunc registers a callback used to prompt the user for input when encrypting credentials.

Multiple callbacks may be registered. They are invoked in the same order they were added.

func WithLogger 

func WithLogger(l logging.Logger) Options

WithLogger adds a custom logger to the store. If a no logger has been specified, a noop logger is used instead.

Source Files

View all Source files

Directories

Path Synopsis
internal
flock
secretfile

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.