From fe005e606aba487736fb80f2f4c1c67e05c8b5b3 Mon Sep 17 00:00:00 2001
From: Levi Durfee <levi.durfee@gmail.com>
Date: Wed, 7 Jan 2026 11:56:45 -0500
Subject: Use a unique salt for each encryption and save it with the encrypted
 payload.

---
 internal/decrypt.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'internal/decrypt.go')

diff --git a/internal/decrypt.go b/internal/decrypt.go
index 470e3c5..936ef59 100644
--- a/internal/decrypt.go
+++ b/internal/decrypt.go
@@ -1,7 +1,7 @@
 package internal
 
 func Decrypt(edek WrappedDEK, ct Ciphertext, salt Salt) ([]byte, error) {
-	kek, err := NewKEKFromEnvB64("GOAES_PASSPHRASE")
+	kek, err := NewKEKFromEnvB64("GOAES_PASSPHRASE", salt)
 	if err != nil {
 		return nil, err
 	}
-- 
cgit v1.2.3