From fe005e606aba487736fb80f2f4c1c67e05c8b5b3 Mon Sep 17 00:00:00 2001
From: Levi Durfee <levi.durfee@gmail.com>
Date: Wed, 7 Jan 2026 11:56:45 -0500
Subject: Use a unique salt for each encryption and save it with the encrypted
 payload.

---
 internal/goaes.go | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

(limited to 'internal/goaes.go')

diff --git a/internal/goaes.go b/internal/goaes.go
index 7d4f476..65d898d 100644
--- a/internal/goaes.go
+++ b/internal/goaes.go
@@ -20,29 +20,24 @@ const (
 	keyLen  = 32
 )
 
-func NewKEKFromEnvB64(passphraseEnvVar string) (KEK, Salt, error) {
+func NewKEKFromEnvB64(passphraseEnvVar string, salt Salt) (KEK, error) {
 	b64Passphrase := os.Getenv(passphraseEnvVar)
 	if b64Passphrase == "" {
-		return nil, nil, fmt.Errorf("%s is not set", passphraseEnvVar)
+		return nil, fmt.Errorf("%s is not set", passphraseEnvVar)
 	}
 
 	passphrase, err := base64.StdEncoding.DecodeString(b64Passphrase)
 	if err != nil {
-		return nil, nil, fmt.Errorf("decode %s base64: %w", passphraseEnvVar, err)
-	}
-
-	salt, err := NewSalt()
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to create salt %w", err)
+		return nil, fmt.Errorf("decode %s base64: %w", passphraseEnvVar, err)
 	}
 
 	raw := argon2.IDKey(passphrase, salt, time, memory, threads, keyLen)
 
 	if !validAESKeyLen(len(raw)) {
-		return nil, nil, errBadKeyLn
+		return nil, errBadKeyLn
 	}
 
-	return KEK(raw), Salt(salt), nil
+	return KEK(raw), nil
 }
 
 func NewDEK() (DEK, error) {
-- 
cgit v1.2.3