7 files changed, 34 insertions, 48 deletions

diff --git a/cmd/goaes/commands/commands.go b/cmd/goaes/commands/commands.go
index f7086a9..2a6f51e 100644
--- a/cmd/goaes/commands/commands.go
+++ b/cmd/goaes/commands/commands.go
@@ -1,3 +1,6 @@
 package commands
 
-const fileMode = 0600
+const (
+	fileMode         = 0600
+	PassphraseEnvVar = "GOAES_PASSPHRASE"
+)
diff --git a/cmd/goaes/commands/decrypt.go b/cmd/goaes/commands/decrypt.go
index a590f47..9168a00 100644
--- a/cmd/goaes/commands/decrypt.go
+++ b/cmd/goaes/commands/decrypt.go
@@ -36,7 +36,9 @@ func Decrypt(ctx context.Context, cmd *cli.Command) error {
 		return err
 	}
 
-	plaintext, err := internal.Decrypt(encryptedPayload.DEK, encryptedPayload.Payload, encryptedPayload.Salt)
+	passphrase := os.Getenv(PassphraseEnvVar)
+
+	plaintext, err := internal.Decrypt(passphrase, encryptedPayload.DEK, encryptedPayload.Payload, encryptedPayload.Salt)
 	if err != nil {
 		return err
 	}
diff --git a/cmd/goaes/commands/encrypt.go b/cmd/goaes/commands/encrypt.go
index b50ef97..df707cb 100644
--- a/cmd/goaes/commands/encrypt.go
+++ b/cmd/goaes/commands/encrypt.go
@@ -21,7 +21,9 @@ func Encrypt(ctx context.Context, cmd *cli.Command) error {
 		return err
 	}
 
-	payload, err := internal.Encrypt(plaintext)
+	passphrase := os.Getenv(PassphraseEnvVar)
+
+	payload, err := internal.Encrypt(passphrase, plaintext)
 	if err != nil {
 		return err
 	}
diff --git a/internal/decrypt.go b/internal/decrypt.go
index 936ef59..bd1f68b 100644
--- a/internal/decrypt.go
+++ b/internal/decrypt.go
@@ -1,7 +1,7 @@
 package internal
 
-func Decrypt(edek WrappedDEK, ct Ciphertext, salt Salt) ([]byte, error) {
-	kek, err := NewKEKFromEnvB64("GOAES_PASSPHRASE", salt)
+func Decrypt(passphrase string, edek WrappedDEK, ct Ciphertext, salt Salt) ([]byte, error) {
+	kek, err := NewKEKFromEnvB64(passphrase, salt)
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/encrypt.go b/internal/encrypt.go
index 42881be..4efa722 100644
--- a/internal/encrypt.go
+++ b/internal/encrypt.go
@@ -1,12 +1,12 @@
 package internal
 
-func Encrypt(data []byte) (EncryptedDataPayload, error) {
+func Encrypt(passphrase string, data []byte) (EncryptedDataPayload, error) {
 	salt, err := NewSalt()
 	if err != nil {
 		return EncryptedDataPayload{}, err
 	}
 
-	kek, err := NewKEKFromEnvB64("GOAES_PASSPHRASE", salt)
+	kek, err := NewKEKFromEnvB64(passphrase, salt)
 	if err != nil {
 		return EncryptedDataPayload{}, err
 	}
diff --git a/internal/goaes.go b/internal/goaes.go
index d67921a..7bc71f3 100644
--- a/internal/goaes.go
+++ b/internal/goaes.go
@@ -8,7 +8,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"os"
 
 	"golang.org/x/crypto/argon2"
 )
@@ -20,15 +19,10 @@ const (
 	keyLen  = 32
 )
 
-func NewKEKFromEnvB64(passphraseEnvVar string, salt Salt) (KEK, error) {
-	b64Passphrase := os.Getenv(passphraseEnvVar)
-	if b64Passphrase == "" {
-		return nil, fmt.Errorf("%s is not set", passphraseEnvVar)
-	}
-
+func NewKEKFromEnvB64(b64Passphrase string, salt Salt) (KEK, error) {
 	passphrase, err := base64.StdEncoding.DecodeString(b64Passphrase)
 	if err != nil {
-		return nil, fmt.Errorf("decode %s base64: %w", passphraseEnvVar, err)
+		return nil, fmt.Errorf("decode %s base64: %w", b64Passphrase, err)
 	}
 
 	raw := argon2.IDKey(passphrase, salt, time, memory, threads, keyLen)
diff --git a/internal/goaes_test.go b/internal/goaes_test.go
index 5d45641..b8174f5 100644
--- a/internal/goaes_test.go
+++ b/internal/goaes_test.go
@@ -3,7 +3,6 @@ package internal_test
 import (
 	"bytes"
 	"fmt"
-	"os"
 	"testing"
 
 	"github.com/nerdsec/goaes/internal"
@@ -47,43 +46,34 @@ func TestNewSalt(t *testing.T) {
 
 func TestNewKEKFromEnvB64(t *testing.T) {
 	tests := []struct {
-		name             string
-		passphraseEnvVar string
-		passphrase       string
-		salt             internal.Salt
-		wantErr          bool
+		name       string
+		passphrase string
+		salt       internal.Salt
+		wantErr    bool
 	}{
 		{
-			name:             "Valid base64",
-			passphraseEnvVar: "GOAES_PASSPHRASE",
-			passphrase:       validPassphrase,
-			salt:             []byte("kD+tNSxjss1XchcyyrKJyZBGg2mdmhh/IO3I87WW2Ds="),
-			wantErr:          false,
+			name:       "Valid base64",
+			passphrase: validPassphrase,
+			salt:       []byte("kD+tNSxjss1XchcyyrKJyZBGg2mdmhh/IO3I87WW2Ds="),
+			wantErr:    false,
 		},
 		{
-			name:             "Invalid passphrase base64",
-			passphraseEnvVar: "GOAES_PASSPHRASE",
-			passphrase:       "dJyHOdMbG94EMvQGQrs6YZiXGiAGQgDYtx6eqLufQg=",
-			salt:             []byte("kD+tNSxjss1XchcyyrKJyZBGg2mdmhh/IO3I87WW2Ds="),
-			wantErr:          true,
+			name:       "Invalid passphrase base64",
+			passphrase: "dJyHOdMbG94EMvQGQrs6YZiXGiAGQgDYtx6eqLufQg=",
+			salt:       []byte("kD+tNSxjss1XchcyyrKJyZBGg2mdmhh/IO3I87WW2Ds="),
+			wantErr:    true,
 		},
 		{
-			name:             "Empty seed",
-			passphraseEnvVar: "GOAES_PASSPHRASE",
-			passphrase:       validPassphrase,
-			salt:             []byte(""),
-			wantErr:          false,
+			name:       "Empty seed",
+			passphrase: validPassphrase,
+			salt:       []byte(""),
+			wantErr:    false,
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := os.Setenv(tt.passphraseEnvVar, tt.passphrase)
-			if err != nil {
-				t.Fatal("failed to set env var")
-			}
-
-			_, gotErr := internal.NewKEKFromEnvB64(tt.passphraseEnvVar, tt.salt)
+			_, gotErr := internal.NewKEKFromEnvB64(tt.passphrase, tt.salt)
 			if gotErr != nil {
 				if !tt.wantErr {
 					t.Errorf("NewKEKFromEnvB64() failed: %v", gotErr)
@@ -100,13 +90,8 @@ func TestNewKEKFromEnvB64(t *testing.T) {
 }
 
 func TestWrapDEK(t *testing.T) {
-	err := os.Setenv("GOAES_PASSPHRASE", validPassphrase)
-	if err != nil {
-		t.Fatal("failed to get env var")
-	}
-
 	kek, err := internal.NewKEKFromEnvB64(
-		"GOAES_PASSPHRASE",
+		validPassphrase,
 		[]byte("salt"),
 	)
 	if err != nil {