Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AESVault ¶
type AESVault struct {
// contains filtered or unexported fields
}
AESVault encrypts secrets with AES-256-GCM before persisting.
func NewAESVault ¶
func NewAESVault(s SecretStore, cfg VaultConfig) (*AESVault, error)
NewAESVault creates a vault with AES-256-GCM encryption.
type SecretStore ¶
type SecretStore interface {
StoreSecret(ctx context.Context, key string, value []byte) error
GetSecret(ctx context.Context, key string) ([]byte, error)
DeleteSecret(ctx context.Context, key string) error
ListSecrets(ctx context.Context) ([]string, error)
}
SecretStore is the minimal persistence interface needed by the vault. Satisfied by store.Store.
type Vault ¶
type Vault interface {
Resolve(ctx context.Context, key string) ([]byte, error)
Store(ctx context.Context, key string, value []byte) error
Delete(ctx context.Context, key string) error
List(ctx context.Context) ([]string, error)
}
Vault resolves secret references (${{secrets.KEY}}) at runtime. Secrets are encrypted at rest (AES-256-GCM) and resolved in-memory only.
type VaultConfig ¶
type VaultConfig struct {
MasterKey []byte // raw 32-byte key (takes priority)
Passphrase string // derive key via PBKDF2
Salt []byte // salt for PBKDF2 (required with Passphrase)
Iterations int // PBKDF2 iterations (default 100_000)
}
VaultConfig configures the AES vault key derivation. Provide either MasterKey (raw 32 bytes) or Passphrase + Salt.
Source Files
Click to show internal directories.
Click to hide internal directories.