Documentation
¶
Overview ¶
Package aes provides AES-GCM encryption helpers and wiring for go-service.
This package wires an AES-GCM Cipher that encrypts and decrypts byte slices using a configured key. Keys are typically loaded via the go-service "source string" pattern (for example "env:NAME", "file:/path", or a literal value).
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ErrInvalidLength = errors.New("aes: invalid length")
ErrInvalidLength is returned when a ciphertext is too short to contain the required nonce prefix.
var Module = di.Module( di.Constructor(NewGenerator), di.Constructor(NewCipher), )
Module wires the AES subsystem into Fx/Dig.
It provides constructors for:
- *Generator (via NewGenerator), which can be used to generate AES-256 key material, and
- *Cipher (via NewCipher), which provides AES-GCM Encrypt/Decrypt when AES config is enabled.
Disabled behavior: if AES configuration is disabled (nil *Config), NewCipher returns (nil, nil) so downstream consumers can treat AES as optional.
Functions ¶
This section is empty.
Types ¶
type Cipher ¶
type Cipher struct {
// contains filtered or unexported fields
}
Cipher provides AES-GCM encryption and decryption using a configured key.
The ciphertext format produced by Encrypt is:
nonce || gcm(ciphertext+tag)
Where nonce is generated fresh per encryption and is required to decrypt.
func NewCipher ¶
NewCipher constructs an AES-GCM Cipher when configuration is enabled.
Disabled behavior: if cfg is nil (disabled), NewCipher returns (nil, nil).
Enabled behavior: the key material is loaded via cfg.GetKey(fs). Any error encountered while reading key material is returned.
Note: this constructor does not validate the key length eagerly; key length validation occurs when Encrypt/Decrypt attempts to construct the underlying AES block cipher.
func (*Cipher) Decrypt ¶
Decrypt decrypts a value produced by Encrypt.
The msg parameter must be in the format nonce||ciphertext, where nonce length is determined by the underlying AEAD (GCM) nonce size.
Errors:
- ErrInvalidLength if msg is shorter than the required nonce size.
- Any error returned by the underlying AEAD if authentication fails or if msg is malformed.
- Any error returned if the configured key is invalid for AES.
func (*Cipher) Encrypt ¶
Encrypt encrypts msg using AES-GCM and returns nonce||ciphertext.
A fresh nonce is generated for each call and is prefixed to the returned byte slice so Decrypt can recover it. The returned slice includes the GCM authentication tag as produced by cipher.AEAD.Seal.
Errors are returned if nonce generation fails or if the configured key is invalid for AES.
type Config ¶
type Config struct {
// Key is a "source string" that resolves to the raw AES key bytes.
//
// It supports the go-service source string pattern implemented by `os.FS.ReadSource`:
// - "env:NAME" to read from an environment variable,
// - "file:/path/to/key" to read from a file, or
// - any other value treated as a literal.
//
// The resolved key bytes must be a valid AES key length (16, 24, or 32 bytes for AES-128/192/256).
Key string `yaml:"key,omitempty" json:"key,omitempty" toml:"key,omitempty"`
}
Config configures AES key material used by the AES-GCM cipher wired by this package.
type Generator ¶
type Generator struct {
// contains filtered or unexported fields
}
Generator generates AES keys using the shared random generator.
func NewGenerator ¶
NewGenerator constructs a Generator that produces AES key material.
The returned Generator uses the shared cryptographically-secure random generator.
Source Files