From fe005e606aba487736fb80f2f4c1c67e05c8b5b3 Mon Sep 17 00:00:00 2001
From: Levi Durfee <levi.durfee@gmail.com>
Date: Wed, 7 Jan 2026 11:56:45 -0500
Subject: Use a unique salt for each encryption and save it with the encrypted
 payload.

---
 internal/encrypt.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'internal/encrypt.go')

diff --git a/internal/encrypt.go b/internal/encrypt.go
index 3ee73d7..42881be 100644
--- a/internal/encrypt.go
+++ b/internal/encrypt.go
@@ -1,7 +1,12 @@
 package internal
 
 func Encrypt(data []byte) (EncryptedDataPayload, error) {
-	kek, salt, err := NewKEKFromEnvB64("GOAES_PASSPHRASE")
+	salt, err := NewSalt()
+	if err != nil {
+		return EncryptedDataPayload{}, err
+	}
+
+	kek, err := NewKEKFromEnvB64("GOAES_PASSPHRASE", salt)
 	if err != nil {
 		return EncryptedDataPayload{}, err
 	}
-- 
cgit v1.2.3