secrets

package

v0.0.0-...-81fcdeb Latest Latest Go to latest Published: Feb 13, 2026 License: MIT Imports: 16 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/cbwinslow/cbwsh

Links

Open Source Insights

Documentation ¶

Overview ¶

Package secrets provides secure secrets management for cbwsh.

This package implements encrypted storage for sensitive data like:

API keys
Passwords
SSH keys
Authentication tokens

Security features:

AES-256-GCM encryption
Argon2id key derivation
Salt-based key generation
Secure file permissions (0600)
Memory-safe operations

Example usage:

manager := secrets.NewManager("~/.cbwsh/secrets.enc")
err := manager.Initialize("master-password")
err = manager.Set("api_key", []byte("secret-value"))
value, err := manager.Get("api_key")

Index ¶

type APIKeyManager
- func NewAPIKeyManager(manager *ExtendedManager) *APIKeyManager
type EncryptionBackend
type ExtendedManager
- func NewExtendedManager(storePath string, backend EncryptionBackend, gitBackend GitBackend) *ExtendedManager
type GitBackend
type Manager
- func NewManager(storePath string) *Manager

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type APIKeyManager ¶

type APIKeyManager struct {
	*ExtendedManager
	// contains filtered or unexported fields
}

APIKeyManager provides specialized management for API keys.

func NewAPIKeyManager ¶

func NewAPIKeyManager(manager *ExtendedManager) *APIKeyManager

NewAPIKeyManager creates a new API key manager.

func (*APIKeyManager) APIKeyExists ¶

func (m *APIKeyManager) APIKeyExists(name string) bool

APIKeyExists checks if an API key exists.

func (*APIKeyManager) DeleteAPIKey ¶

func (m *APIKeyManager) DeleteAPIKey(name string) error

DeleteAPIKey deletes an API key.

func (*APIKeyManager) GetAPIKey ¶

func (m *APIKeyManager) GetAPIKey(name string) ([]byte, error)

GetAPIKey retrieves an API key.

func (*APIKeyManager) ListAPIKeys ¶

func (m *APIKeyManager) ListAPIKeys() ([]string, error)

ListAPIKeys returns all stored API key names.

func (*APIKeyManager) StoreAPIKey ¶

func (m *APIKeyManager) StoreAPIKey(name string, key []byte) error

StoreAPIKey stores an API key.

type EncryptionBackend ¶

type EncryptionBackend string

EncryptionBackend represents the encryption method to use.

const (
	// BackendAES uses the built-in AES-256-GCM encryption.
	BackendAES EncryptionBackend = "aes"
	// BackendAge uses age encryption.
	BackendAge EncryptionBackend = "age"
	// BackendGPG uses GPG encryption.
	BackendGPG EncryptionBackend = "gpg"
)

type ExtendedManager ¶

type ExtendedManager struct {
	// contains filtered or unexported fields
}

ExtendedManager provides extended secrets management with multiple backends.

func NewExtendedManager ¶

func NewExtendedManager(storePath string, backend EncryptionBackend, gitBackend GitBackend) *ExtendedManager

NewExtendedManager creates a new extended secrets manager.

func (*ExtendedManager) Delete ¶

func (m *ExtendedManager) Delete(key string) error

Delete removes a stored secret.

func (*ExtendedManager) Exists ¶

func (m *ExtendedManager) Exists(key string) bool

Exists checks if a secret exists.

func (*ExtendedManager) GetEncryptionBackend ¶

func (m *ExtendedManager) GetEncryptionBackend() EncryptionBackend

GetEncryptionBackend returns the current encryption backend.

func (*ExtendedManager) GetGitBackend ¶

func (m *ExtendedManager) GetGitBackend() GitBackend

GetGitBackend returns the current git backend.

func (*ExtendedManager) Initialize ¶

func (m *ExtendedManager) Initialize(masterPassword string) error

Initialize initializes the extended manager.

func (*ExtendedManager) IsUnlocked ¶

func (m *ExtendedManager) IsUnlocked() bool

IsUnlocked returns whether the store is unlocked.

func (*ExtendedManager) List ¶

func (m *ExtendedManager) List() ([]string, error)

List returns all stored secret keys.

func (*ExtendedManager) Lock ¶

func (m *ExtendedManager) Lock() error

Lock locks the secrets store.

func (*ExtendedManager) PushToGit ¶

func (m *ExtendedManager) PushToGit() error

PushToGit pushes secrets to the git repository.

func (*ExtendedManager) Retrieve ¶

func (m *ExtendedManager) Retrieve(key string) ([]byte, error)

Retrieve gets a stored secret.

func (*ExtendedManager) SetGitRepoPath ¶

func (m *ExtendedManager) SetGitRepoPath(path string)

SetGitRepoPath sets the git repository path.

func (*ExtendedManager) SetRecipientKey ¶

func (m *ExtendedManager) SetRecipientKey(key string)

SetRecipientKey sets the recipient key for age/GPG encryption.

func (*ExtendedManager) Store ¶

func (m *ExtendedManager) Store(key string, value []byte) error

Store securely stores a secret.

func (*ExtendedManager) SyncWithGit ¶

func (m *ExtendedManager) SyncWithGit() error

SyncWithGit syncs secrets with the git repository.

func (*ExtendedManager) Unlock ¶

func (m *ExtendedManager) Unlock(masterPassword string) error

Unlock unlocks the secrets store.

type GitBackend ¶

type GitBackend string

GitBackend represents the git management tool to use.

const (
	// GitBackendNone uses no git integration.
	GitBackendNone GitBackend = "none"
	// GitBackendGit uses standard git.
	GitBackendGit GitBackend = "git"
	// GitBackendYadm uses yadm (Yet Another Dotfiles Manager).
	GitBackendYadm GitBackend = "yadm"
)

type Manager ¶

type Manager struct {
	// contains filtered or unexported fields
}

Manager provides encrypted secrets storage and retrieval.

The Manager uses AES-256-GCM encryption with Argon2id key derivation to securely store secrets. All operations are thread-safe.

Security considerations:

Master password is never stored (only its hash)
Encryption keys are derived using Argon2id (resistant to brute-force)
AES-256-GCM provides both confidentiality and authenticity
Store files use restrictive permissions (0600)
Secrets are locked by default and require explicit unlocking

func NewManager ¶

func NewManager(storePath string) *Manager

NewManager creates a new secrets manager.

func (*Manager) ChangePassword ¶

func (m *Manager) ChangePassword(oldPassword, newPassword string) error

ChangePassword changes the master password.

func (*Manager) Delete ¶

func (m *Manager) Delete(key string) error

Delete removes a stored secret.

func (*Manager) Exists ¶

func (m *Manager) Exists(key string) bool

Exists checks if a secret exists.

func (*Manager) Initialize ¶

func (m *Manager) Initialize(masterPassword string) error

Initialize sets up the secrets store with a master password.

func (*Manager) IsUnlocked ¶

func (m *Manager) IsUnlocked() bool

IsUnlocked returns whether the store is unlocked.

func (*Manager) List ¶

func (m *Manager) List() ([]string, error)

List returns all stored secret keys.

func (*Manager) Lock ¶

func (m *Manager) Lock() error

Lock locks the secrets store.

func (*Manager) Retrieve ¶

func (m *Manager) Retrieve(key string) ([]byte, error)

Retrieve gets a stored secret.

func (*Manager) Store ¶

func (m *Manager) Store(key string, value []byte) error

Store securely stores a secret.

func (*Manager) Unlock ¶

func (m *Manager) Unlock(masterPassword string) error

Unlock unlocks the secrets store with the master password.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL