From 6f706d0d05612d9778ece6414b3427c176214586 Mon Sep 17 00:00:00 2001
From: Levi Durfee <levi.durfee@gmail.com>
Date: Thu, 8 Jan 2026 18:50:19 -0500
Subject: Work on comments

---
 input.txt.goaes     | Bin 0 -> 206 bytes
 internal/decrypt.go |   6 ++++--
 internal/encrypt.go |   3 +++
 internal/goaes.go   |   1 -
 4 files changed, 7 insertions(+), 3 deletions(-)
 create mode 100644 input.txt.goaes

diff --git a/input.txt.goaes b/input.txt.goaes
new file mode 100644
index 0000000..3214ad6
Binary files /dev/null and b/input.txt.goaes differ
diff --git a/internal/decrypt.go b/internal/decrypt.go
index bd1f68b..252b033 100644
--- a/internal/decrypt.go
+++ b/internal/decrypt.go
@@ -1,17 +1,19 @@
 package internal
 
+// Decrypt recreates the kek from a passphrase and a salt, unwraps the dek using
+// the kek, decrypts the data using the dek, and then returns the plaintext.
 func Decrypt(passphrase string, edek WrappedDEK, ct Ciphertext, salt Salt) ([]byte, error) {
 	kek, err := NewKEKFromEnvB64(passphrase, salt)
 	if err != nil {
 		return nil, err
 	}
 
-	dek2, err := UnwrapDEK(edek, kek)
+	dek, err := UnwrapDEK(edek, kek)
 	if err != nil {
 		return nil, err
 	}
 
-	pt, err := DecryptData(ct, dek2)
+	pt, err := DecryptData(ct, dek)
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/encrypt.go b/internal/encrypt.go
index 4efa722..5d2c794 100644
--- a/internal/encrypt.go
+++ b/internal/encrypt.go
@@ -1,5 +1,8 @@
 package internal
 
+// Encrypt generates a new salt, creates the kek from the passphrase and the new
+// salt, creates a new dek, wraps the dek with the kek, encrypts the data with
+// the dek, then returns the edek, salt, and ciphertext.
 func Encrypt(passphrase string, data []byte) (EncryptedDataPayload, error) {
 	salt, err := NewSalt()
 	if err != nil {
diff --git a/internal/goaes.go b/internal/goaes.go
index 7bc71f3..2afbbcf 100644
--- a/internal/goaes.go
+++ b/internal/goaes.go
@@ -74,7 +74,6 @@ func DecryptData(ct Ciphertext, dek DEK) ([]byte, error) {
 	return decryptAEAD([]byte(ct), []byte(dek), aadDataMsg)
 }
 
-// encryptAEAD returns: nonce || ciphertext
 func encryptAEAD(plaintext, key, aad []byte) ([]byte, error) {
 	if !validAESKeyLen(len(key)) {
 		return nil, errBadKeyLn
-- 
cgit v1.2.3