4 files changed, 7 insertions, 3 deletions

diff --git a/input.txt.goaes b/input.txt.goaes
new file mode 100644
index 0000000..3214ad6
--- /dev/null
+++ b/input.txt.goaes
diff --git a/internal/decrypt.go b/internal/decrypt.go
index bd1f68b..252b033 100644
--- a/internal/decrypt.go
+++ b/internal/decrypt.go
@@ -1,17 +1,19 @@
 package internal
 
+// Decrypt recreates the kek from a passphrase and a salt, unwraps the dek using
+// the kek, decrypts the data using the dek, and then returns the plaintext.
 func Decrypt(passphrase string, edek WrappedDEK, ct Ciphertext, salt Salt) ([]byte, error) {
 	kek, err := NewKEKFromEnvB64(passphrase, salt)
 	if err != nil {
 		return nil, err
 	}
 
-	dek2, err := UnwrapDEK(edek, kek)
+	dek, err := UnwrapDEK(edek, kek)
 	if err != nil {
 		return nil, err
 	}
 
-	pt, err := DecryptData(ct, dek2)
+	pt, err := DecryptData(ct, dek)
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/encrypt.go b/internal/encrypt.go
index 4efa722..5d2c794 100644
--- a/internal/encrypt.go
+++ b/internal/encrypt.go
@@ -1,5 +1,8 @@
 package internal
 
+// Encrypt generates a new salt, creates the kek from the passphrase and the new
+// salt, creates a new dek, wraps the dek with the kek, encrypts the data with
+// the dek, then returns the edek, salt, and ciphertext.
 func Encrypt(passphrase string, data []byte) (EncryptedDataPayload, error) {
 	salt, err := NewSalt()
 	if err != nil {
diff --git a/internal/goaes.go b/internal/goaes.go
index 7bc71f3..2afbbcf 100644
--- a/internal/goaes.go
+++ b/internal/goaes.go
@@ -74,7 +74,6 @@ func DecryptData(ct Ciphertext, dek DEK) ([]byte, error) {
 	return decryptAEAD([]byte(ct), []byte(dek), aadDataMsg)
 }
 
-// encryptAEAD returns: nonce || ciphertext
 func encryptAEAD(plaintext, key, aad []byte) ([]byte, error) {
 	if !validAESKeyLen(len(key)) {
 		return nil, errBadKeyLn