keyformat

Documentation

Overview

Package keyformat converts raw 32-byte derived keys into structured cryptographic key formats (age identities, OpenSSH ed25519 keys).

Functions that produce secret material return it as []byte so callers can zero the plaintext via crypto.WipeBytes once it's no longer needed. Go strings are immutable and cannot be wiped, so they are used here only for genuinely non-secret values (age recipients, ssh public-key lines).

Index

• func FormatAge(key []byte) (identity []byte, recipient string, err error)
• func FormatEd25519(key []byte, comment string) (privatePEM []byte, publicAuth string, err error)

Functions

func FormatAge

func FormatAge(key []byte) (identity []byte, recipient string, err error)

FormatAge converts a 32-byte key into an age X25519 identity.

identity is the secret key line (AGE-SECRET-KEY-1...) as a caller-owned []byte; the caller MUST wipe it via crypto.WipeBytes once it's no longer needed. recipient is the public key (age1...) and is safe as a string.

func FormatEd25519

func FormatEd25519(key []byte, comment string) (privatePEM []byte, publicAuth string, err error)

FormatEd25519 converts a 32-byte key into an OpenSSH ed25519 key pair.

privatePEM is the PEM-encoded private key as a caller-owned []byte; the caller MUST wipe it via crypto.WipeBytes once it's no longer needed. publicAuth is the authorized_keys-format public key line; the comment is embedded in both. The public key is safe as a string.