diff options
| author | Levi Durfee <levi.durfee@gmail.com> | 2026-01-07 08:57:35 -0500 |
|---|---|---|
| committer | Levi Durfee <levi.durfee@gmail.com> | 2026-01-07 08:57:41 -0500 |
| commit | 22ce0770a047b44c8168ec1ccd21b7771903ff42 (patch) | |
| tree | 0a0f2e6be5ede94980a6fb39bbde971a78b7b915 /internal | |
| parent | 54d3a02387059b6e803be4435f101979fc5b7cd3 (diff) | |
Add pbkdf2 with salt
Diffstat (limited to 'internal')
| -rw-r--r-- | internal/decrypt.go | 2 | ||||
| -rw-r--r-- | internal/encrypt.go | 2 | ||||
| -rw-r--r-- | internal/goaes.go | 30 |
3 files changed, 27 insertions, 7 deletions
diff --git a/internal/decrypt.go b/internal/decrypt.go index d8d9ef4..bc2e64b 100644 --- a/internal/decrypt.go +++ b/internal/decrypt.go @@ -7,7 +7,7 @@ import ( func Decrypt(edek WrappedDEK, ct Ciphertext) ([]byte, error) { godotenv.Load() - kek, err := NewKEKFromEnvB64("SECRET_KEY") + kek, err := NewKEKFromEnvB64("GOAES_PASSPHRASE", "GOAES_SALT") if err != nil { return nil, err } diff --git a/internal/encrypt.go b/internal/encrypt.go index bc3bf7f..fdaceb3 100644 --- a/internal/encrypt.go +++ b/internal/encrypt.go @@ -7,7 +7,7 @@ import ( func Encrypt(data []byte) (EncryptedDataPayload, error) { godotenv.Load() - kek, err := NewKEKFromEnvB64("SECRET_KEY") + kek, err := NewKEKFromEnvB64("GOAES_PASSPHRASE", "GOAES_SALT") if err != nil { return EncryptedDataPayload{}, err } diff --git a/internal/goaes.go b/internal/goaes.go index ce054e8..f9e2f3e 100644 --- a/internal/goaes.go +++ b/internal/goaes.go @@ -4,24 +4,44 @@ import ( "crypto/aes" "crypto/cipher" "crypto/rand" + "crypto/sha256" "encoding/base64" "errors" "fmt" "io" "os" + + "golang.org/x/crypto/pbkdf2" +) + +const ( + keyIterations = 600_000 + keyLength = 32 ) -func NewKEKFromEnvB64(envVar string) (KEK, error) { - b64 := os.Getenv(envVar) +func NewKEKFromEnvB64(passphraseEnvVar, saltEnvVar string) (KEK, error) { + b64 := os.Getenv(passphraseEnvVar) if b64 == "" { - return nil, fmt.Errorf("%s is not set", envVar) + return nil, fmt.Errorf("%s is not set", passphraseEnvVar) + } + + b64Salt := os.Getenv(saltEnvVar) + if b64Salt == "" { + return nil, fmt.Errorf("%s is not set", saltEnvVar) } - raw, err := base64.StdEncoding.DecodeString(b64) + passphrase, err := base64.StdEncoding.DecodeString(b64) if err != nil { - return nil, fmt.Errorf("decode %s base64: %w", envVar, err) + return nil, fmt.Errorf("decode %s base64: %w", passphraseEnvVar, err) } + salt, err := base64.StdEncoding.DecodeString(b64Salt) + if err != nil { + return nil, fmt.Errorf("decode %s base64: %w", saltEnvVar, err) + } + + raw := pbkdf2.Key(passphrase, salt, keyIterations, keyLength, sha256.New) + if !validAESKeyLen(len(raw)) { return nil, errBadKeyLn } |