diff options
| author | Levi Durfee <levi.durfee@gmail.com> | 2026-01-07 11:56:45 -0500 |
|---|---|---|
| committer | Levi Durfee <levi.durfee@gmail.com> | 2026-01-07 11:56:52 -0500 |
| commit | fe005e606aba487736fb80f2f4c1c67e05c8b5b3 (patch) | |
| tree | 85a4f6c87e7fd724274039002c26c404f287fdca /internal | |
| parent | ac5b030f71434123bea60f9b1d918a59f19fed6a (diff) | |
Use a unique salt for each encryption and save it
with the encrypted payload.
Diffstat (limited to 'internal')
| -rw-r--r-- | internal/decrypt.go | 2 | ||||
| -rw-r--r-- | internal/encrypt.go | 7 | ||||
| -rw-r--r-- | internal/goaes.go | 15 |
3 files changed, 12 insertions, 12 deletions
diff --git a/internal/decrypt.go b/internal/decrypt.go index 470e3c5..936ef59 100644 --- a/internal/decrypt.go +++ b/internal/decrypt.go @@ -1,7 +1,7 @@ package internal func Decrypt(edek WrappedDEK, ct Ciphertext, salt Salt) ([]byte, error) { - kek, err := NewKEKFromEnvB64("GOAES_PASSPHRASE") + kek, err := NewKEKFromEnvB64("GOAES_PASSPHRASE", salt) if err != nil { return nil, err } diff --git a/internal/encrypt.go b/internal/encrypt.go index 3ee73d7..42881be 100644 --- a/internal/encrypt.go +++ b/internal/encrypt.go @@ -1,7 +1,12 @@ package internal func Encrypt(data []byte) (EncryptedDataPayload, error) { - kek, salt, err := NewKEKFromEnvB64("GOAES_PASSPHRASE") + salt, err := NewSalt() + if err != nil { + return EncryptedDataPayload{}, err + } + + kek, err := NewKEKFromEnvB64("GOAES_PASSPHRASE", salt) if err != nil { return EncryptedDataPayload{}, err } diff --git a/internal/goaes.go b/internal/goaes.go index 7d4f476..65d898d 100644 --- a/internal/goaes.go +++ b/internal/goaes.go @@ -20,29 +20,24 @@ const ( keyLen = 32 ) -func NewKEKFromEnvB64(passphraseEnvVar string) (KEK, Salt, error) { +func NewKEKFromEnvB64(passphraseEnvVar string, salt Salt) (KEK, error) { b64Passphrase := os.Getenv(passphraseEnvVar) if b64Passphrase == "" { - return nil, nil, fmt.Errorf("%s is not set", passphraseEnvVar) + return nil, fmt.Errorf("%s is not set", passphraseEnvVar) } passphrase, err := base64.StdEncoding.DecodeString(b64Passphrase) if err != nil { - return nil, nil, fmt.Errorf("decode %s base64: %w", passphraseEnvVar, err) - } - - salt, err := NewSalt() - if err != nil { - return nil, nil, fmt.Errorf("failed to create salt %w", err) + return nil, fmt.Errorf("decode %s base64: %w", passphraseEnvVar, err) } raw := argon2.IDKey(passphrase, salt, time, memory, threads, keyLen) if !validAESKeyLen(len(raw)) { - return nil, nil, errBadKeyLn + return nil, errBadKeyLn } - return KEK(raw), Salt(salt), nil + return KEK(raw), nil } func NewDEK() (DEK, error) { |