secrets

package
v0.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 11, 2026 License: MIT Imports: 8 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AESVault

type AESVault struct {
	// contains filtered or unexported fields
}

AESVault encrypts secrets with AES-256-GCM before persisting.

func NewAESVault

func NewAESVault(s SecretStore, cfg VaultConfig) (*AESVault, error)

NewAESVault creates a vault with AES-256-GCM encryption.

func (*AESVault) Delete

func (v *AESVault) Delete(ctx context.Context, key string) error

func (*AESVault) List

func (v *AESVault) List(ctx context.Context) ([]string, error)

func (*AESVault) Resolve

func (v *AESVault) Resolve(ctx context.Context, key string) ([]byte, error)

func (*AESVault) Store

func (v *AESVault) Store(ctx context.Context, key string, value []byte) error

type SecretStore

type SecretStore interface {
	StoreSecret(ctx context.Context, key string, value []byte) error
	GetSecret(ctx context.Context, key string) ([]byte, error)
	DeleteSecret(ctx context.Context, key string) error
	ListSecrets(ctx context.Context) ([]string, error)
}

SecretStore is the minimal persistence interface needed by the vault. Satisfied by store.Store.

type Vault

type Vault interface {
	Resolve(ctx context.Context, key string) ([]byte, error)
	Store(ctx context.Context, key string, value []byte) error
	Delete(ctx context.Context, key string) error
	List(ctx context.Context) ([]string, error)
}

Vault resolves secret references (${{secrets.KEY}}) at runtime. Secrets are encrypted at rest (AES-256-GCM) and resolved in-memory only.

type VaultConfig

type VaultConfig struct {
	MasterKey  []byte // raw 32-byte key (takes priority)
	Passphrase string // derive key via PBKDF2
	Salt       []byte // salt for PBKDF2 (required with Passphrase)
	Iterations int    // PBKDF2 iterations (default 100_000)
}

VaultConfig configures the AES vault key derivation. Provide either MasterKey (raw 32 bytes) or Passphrase + Salt.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL