dbcrypt

package
v2.24.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 15, 2025 License: AGPL-3.0 Imports: 14 Imported by: 0

Documentation

Overview

Package dbcrypt provides a database.Store wrapper that encrypts/decrypts values stored at rest in the database.

Encryption is done using Ciphers, which is an abstraction over a set of encryption keys. Each key has a unique identifier, which is used to uniquely identify the key whilst maintaining secrecy.

Currently, AES-256-GCM is the only implemented cipher mode. The Cipher is currently used to encrypt/decrypt the following fields: - database.UserLink.OAuthAccessToken - database.UserLink.OAuthRefreshToken - database.GitAuthLink.OAuthAccessToken - database.GitAuthLink.OAuthRefreshToken - database.DBCryptSentinelValue

Multiple ciphers can be provided to support key rotation. The primary cipher is used to encrypt and decrypt all data. Secondary ciphers are only used for decryption and, as a general rule, should only be active when rotating keys.

Encryption keys are stored in the database in the table `dbcrypt_keys`. The table has the following schema:

  • number: the key number. This is used to avoid conflicts when rotating keys.
  • created_at: the time the key was created.
  • active_key_digest: the SHA256 digest of the active key. If null, the key has been revoked.
  • revoked_key_digest: the SHA256 digest of the revoked key. If null, the key has not been revoked.
  • revoked_at: the time the key was revoked. If null, the key has not been revoked.
  • test: the encrypted value of the string "coder". This is used to ensure that the key is valid.

Encrypted fields are stored in the database as a base64-encoded string. Each encrypted column MUST have a corresponding _key_id column that is a foreign key reference to `dbcrypt_keys.active_key_digest`. This ensures that a key cannot be revoked until all rows that use that key have been migrated to a new key.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Decrypt 

func Decrypt(ctx context.Context, log slog.Logger, sqlDB *sql.DB, ciphers []Cipher) error

Decrypt decrypts all user tokens and revokes all ciphers.

func Delete 

func Delete(ctx context.Context, log slog.Logger, sqlDB *sql.DB) error

Delete deletes all user tokens and revokes all ciphers. This is a destructive operation and should only be used as a last resort, for example, if the database encryption key has been lost.

func New 

func New(ctx context.Context, db database.Store, ciphers ...Cipher) (database.Store, error)

New creates a database.Store wrapper that encrypts/decrypts values stored at rest in the database.

func Rotate 

func Rotate(ctx context.Context, log slog.Logger, sqlDB *sql.DB, ciphers []Cipher) error

Rotate rotates the database encryption keys by re-encrypting all user tokens with the first cipher and revoking all other ciphers.

Types

type Cipher 

type Cipher interface {
	Encrypt([]byte) ([]byte, error)
	Decrypt([]byte) ([]byte, error)
	HexDigest() string
}

func NewCiphers 

func NewCiphers(keys ...[]byte) ([]Cipher, error)

NewCiphers is a convenience function for creating multiple ciphers. It currently only supports AES-256-GCM.

type DecryptFailedError 

type DecryptFailedError struct {
	Inner error
}

DecryptFailedError is returned when decryption fails.

func (*DecryptFailedError) Error 

func (e *DecryptFailedError) Error() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy