Documentation
¶
Overview ¶
Package yasec helps to keep secrets in config files as secret as possible. (Needs to be audited)
Index ¶
- func PromptNewPassword(p1, p2 string) (*memguard.Enclave, error)
- func PromptPassword(p string) (*memguard.Enclave, error)
- func ReadPassword() (*memguard.Enclave, error)
- type Config
- func (cfg *Config) Set(key *memguard.Enclave)
- func (cfg *Config) SetFromPrompt(text string, salt []byte) error
- func (cfg *Config) SetFromUnixSocket(path string, salt []byte) error
- func (cfg *Config) SetPassword(passwd, salt []byte)
- func (cfg *Config) SetPasswordFrom(pwr Passworder, salt []byte) error
- func (cfg *Config) SetPasswordString(passwd string, salt []byte)
- type FDPassword
- type PasswordPrompt
- type Passworder
- type PasswordsDiffer
- type Secret
- func (sec Secret) Empty() bool
- func (sec Secret) Equal(data []byte) (bool, error)
- func (sec Secret) EqualString(s string) (bool, error)
- func (sec Secret) MarshalBinary() (data []byte, err error)
- func (sec Secret) MarshalText() (text []byte, err error)
- func (sec *Secret) MergeDaQ(m *daq.Merge, add any) error
- func (sec Secret) Open() (*memguard.LockedBuffer, error)
- func (sec Secret) Protected() bool
- func (sec *Secret) Set(buf *memguard.LockedBuffer) (err error)
- func (sec *Secret) UnmarshalBinary(data []byte) error
- func (sec *Secret) UnmarshalText(text []byte) error
- type UnixSocketPassword
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ReadPassword ¶
Types ¶
type Config ¶
type Config struct {
// contains filtered or unexported fields
}
Config holds the master password that is used to decrypt a Secret when it opened for actual use.
func (*Config) SetFromUnixSocket ¶
func (*Config) SetPassword ¶
func (*Config) SetPasswordFrom ¶
func (cfg *Config) SetPasswordFrom(pwr Passworder, salt []byte) error
func (*Config) SetPasswordString ¶
type FDPassword ¶
type FDPassword uintptr
type PasswordPrompt ¶
type PasswordPrompt string
PasswordPrompt is a Passworder that reads a password directly from a terminal without echoing the user input. One can use e.g. term.IsTerminal() to check if password can be provided this way.
type Passworder ¶
Passworders are used to supply a master password for Config (see also Config.SetPasswordFrom).
type PasswordsDiffer ¶
type PasswordsDiffer struct{}
func (PasswordsDiffer) Error ¶
func (PasswordsDiffer) Error() string
type Secret ¶
type Secret struct {
Config *Config
// contains filtered or unexported fields
}
Example ¶
key := memguard.NewBufferFromBytes([]byte{
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
})
cfg := NewConfig(key.Seal())
secret := Secret{Config: &cfg}
data := must.Ret(memguard.NewBufferFromEntireReader(strings.NewReader("foo bar baz")))
secret.Set(data)
data.Destroy()
data = must.Ret(secret.Open())
defer data.Destroy()
fmt.Println(data.String())
Output: foo bar baz
func (Secret) MarshalBinary ¶
func (Secret) MarshalText ¶
func (*Secret) UnmarshalBinary ¶
func (*Secret) UnmarshalText ¶
type UnixSocketPassword ¶
type UnixSocketPassword string
UnixSocketPassword is a Passworder that reads the password from a temporary unix domain socket that is closed and deleted after the password has been read. Note that the unix domain socket can be intercepted by other processes which also it vulnerable for a short period of time.
For example, if you start a programm with nohup, you can use this method to provide the password without including it in argv[] or envp[] (C style). Both are considered insecure.
Source Files