Documentation ¶
Index ¶
- Constants
- Variables
- func Armor62Open(msg string) (body []byte, header string, footer string, err error)
- func Armor62Seal(plaintext []byte, header string, footer string) (string, error)
- func ArmorOpen(msg string, params ArmorParams) (body []byte, header string, footer string, err error)
- func ArmorSeal(plaintext []byte, header string, footer string, params ArmorParams) (string, error)
- func CheckArmor62Frame(frame Frame) error
- func EncryptArmor62Seal(plaintext []byte, sender BoxSecretKey, receivers []BoxPublicKey) (string, error)
- func KIDEqual(k1, k2 KIDExtractor) bool
- func NewArmor62EncoderStream(encoded io.Writer, header string, footer string) (io.WriteCloser, error)
- func NewArmorEncoderStream(encoded io.Writer, header string, footer string, params ArmorParams) (io.WriteCloser, error)
- func NewDearmor62DecryptStream(ciphertext io.Reader, kr Keyring) (*MessageKeyInfo, io.Reader, Frame, error)
- func NewEncryptArmor62Stream(ciphertext io.Writer, sender BoxSecretKey, receivers []BoxPublicKey) (plaintext io.WriteCloser, err error)
- func NewEncryptStream(ciphertext io.Writer, sender BoxSecretKey, receivers []BoxPublicKey) (plaintext io.WriteCloser, err error)
- func NewSignStream(signedtext io.Writer, signer SigningSecretKey) (stream io.WriteCloser, err error)
- func PublicKeyEqual(pk1, pk2 BoxPublicKey) bool
- func Seal(plaintext []byte, sender BoxSecretKey, receivers []BoxPublicKey) (out []byte, err error)
- func SecretKeyEqual(sk1, sk2 BoxSecretKey) bool
- func Sign(plaintext []byte, signer SigningSecretKey) ([]byte, error)
- func SignDetached(plaintext []byte, signer SigningSecretKey) ([]byte, error)
- type ArmorParams
- type BoxPrecomputedSharedKey
- type BoxPublicKey
- type BoxSecretKey
- type EncryptionBlock
- type EncryptionHeader
- type ErrBadArmorFooter
- type ErrBadArmorHeader
- type ErrBadCiphertext
- type ErrBadTag
- type ErrBadVersion
- type ErrInvalidParameter
- type ErrRepeatedKey
- type ErrWrongMessageType
- type Frame
- type KIDExtractor
- type Keyring
- type MessageKeyInfo
- type MessageType
- type Nonce
- type NonceType
- type PacketSeqno
- type PunctuatedReader
- type RawBoxKey
- type SigKeyring
- type SigNonce
- type SignatureBlock
- type SignatureHeader
- type SigningPublicKey
- func NewVerifyStream(r io.Reader, keyring SigKeyring) (skey SigningPublicKey, vs io.Reader, err error)
- func Verify(signedMsg []byte, keyring SigKeyring) (skey SigningPublicKey, verifiedMsg []byte, err error)
- func VerifyDetached(message, signature []byte, keyring SigKeyring) (skey SigningPublicKey, err error)
- type SigningSecretKey
- type SymmetricKey
- type Version
Constants ¶
EncryptionArmorFooter is the footer that marks the end of an encrypted armored KB message.
const EncryptionArmorHeader = "BEGIN KEYBASE ENCRYPTED MESSAGE"
EncryptionArmorHeader is the header that marks the start of an encrypted armored KB message.
const EncryptionBlockSize int = 1048576
EncryptionBlockSize is by default 1MB and can't currently be tweaked.
const NoncePrefixEncryption = "encryption nonce prefix"
NoncePrefixEncryption is the prefix used to create the nonce when using the nonce for encryption.
const SaltPackFormatName = "SaltPack"
SaltPackFormatName is the publicly advertised name of the format, used in the header of the message and also in Nonce creation.
const SignatureAttachedString = "attached signature"
SignatureAttachedString is part of the data that is signed in each payload packet.
const SignatureBlockSize int = 1048576
SignatureBlockSize is by default 1MB and can't currently be tweaked.
const SignatureDetachedString = "detached signature"
SignatureDetachedString is part of the data that is signed in a detached signature.
Variables ¶
var ( // ErrNoDecryptionKey is an error indicating no decryption key was found for the // incoming message. You'll get one of these if you respond to a Keyring.LookupSecretBoxKey // request with a (-1,nil) return value, and no hidden keys are found. ErrNoDecryptionKey = errors.New("no decryption key found for message") // ErrNoSenderKey indicates that on decryption/verification we couldn't find a public key // for the sender. ErrNoSenderKey = errors.New("no sender key found for message") // ErrTrailingGarbage indicates that additional msgpack packets were found after the // end of the encryption stream. ErrTrailingGarbage = errors.New("trailing garbage found at end of message") // ErrPacketOverflow indicates that more than (2^64-2) packets were found in an encryption // stream. This would indicate a very big message, and results in an error here. ErrPacketOverflow = errors.New("no more than 2^32 packets in a message are supported") // ErrInsufficientRandomness is generated when the encryption fails to collect // enough randomness to proceed. We're using the standard crypto/rand source // of randomness, so this should never happen ErrInsufficientRandomness = errors.New("could not collect enough randomness") // ErrBadArmorFrame shows up when the ASCII armor frame has non-ASCII ErrBadArmorFrame = errors.New("bad frame found; had non-ASCII") // ErrBadEphemeralKey is for when an ephemeral key fails to be properly // imported. ErrBadEphemeralKey = errors.New("bad ephermal key in header") // ErrBadReceivers shows up when you pass a bad receivers vector ErrBadReceivers = errors.New("bad receivers argument") // ErrBadSenderKey is returned if a key with the wrong number of bytes // is discovered in the encryption header. ErrBadSenderKey = errors.New("bad sender key; must be 32 bytes") // ErrBadLookup is when the user-provided key lookup gives a bad value ErrBadLookup = errors.New("bad key lookup") // ErrBadSignature is returned when verification of a block fails. ErrBadSignature = errors.New("invalid signature") // ErrNoDetachedSignature is returned when there is no signature in the header. ErrNoDetachedSignature = errors.New("no detached signature") // ErrDetachedSignaturePresent is returned when there is a signature in the header and // there shouldn't be. ErrDetachedSignaturePresent = errors.New("detached signature present") )
var Armor62Params = ArmorParams{ BytesPerWord: 15, WordsPerLine: 200, Punctuation: byte('.'), Encoding: basex.Base62StdEncoding, }
Armor62Params are the armoring parameters we recommend for use with a generic armorer. It specifies the spaces between words, the spacing between lines, some simple punctuation, and an encoding alphabet.
var ErrOverflow = errors.New("buffer was overflowed before we found punctuation")
ErrOverflow is returned if we were looking for punctuation but our quota was overflowed before we found the needed character.
var ErrPunctuated = errors.New("found punctuation in stream")
ErrPunctuated is produced when a punctuation character is found in the stream. It can be returned along with data, unlike usual errors.
var SaltPackCurrentVersion = Version{Major: 1, Minor: 0}
SaltPackCurrentVersion is currently the only supported packet version, 1.0.
Functions ¶
func Armor62Open ¶
Armor62Open runs armor stream decoding, but on a string, and it outputs a string.
func Armor62Seal ¶
Armor62Seal takes an input plaintext and returns and output armor encoding as a string, or an error if a problem was encountered. Also provide a header and a footer to frame the message. Uses Base62 encoding scheme
func ArmorOpen ¶
func ArmorOpen(msg string, params ArmorParams) (body []byte, header string, footer string, err error)
ArmorOpen runs armor stream decoding, but on a string, and it outputs a string.
func ArmorSeal ¶
ArmorSeal takes an input plaintext and returns and output armor encoding as a string, or an error if a problem was encountered. Also provide a header and a footer to frame the message.
func CheckArmor62Frame ¶
CheckArmor62Frame checks that the frame matches our standard keybase begin/end frame
func EncryptArmor62Seal ¶
func EncryptArmor62Seal(plaintext []byte, sender BoxSecretKey, receivers []BoxPublicKey) (string, error)
EncryptArmor62Seal is the non-streaming version of NewEncryptArmor62Stream, which inputs a plaintext (in bytes) and output a ciphertext (as a string).
func KIDEqual ¶
func KIDEqual(k1, k2 KIDExtractor) bool
KIDEqual return true if the KIDs for two keys are equal.
func NewArmor62EncoderStream ¶
func NewArmor62EncoderStream(encoded io.Writer, header string, footer string) (io.WriteCloser, error)
NewArmor62EncoderStream makes a new Armor 62 encoding stream, using the base62-alphabet and a 32/43 encoding rate strategy. Pass it an `encoded` stream writer to write the encoded stream to. Also pass a header, and a footer string. It will return an io.WriteCloser on success, that you can write raw (unencoded) data to. An error will be returned if there is trouble writing the header to encoded.
To make the output look pretty, a space is inserted every 15 characters of output, and a newline is inserted every 200 words.
func NewArmorEncoderStream ¶
func NewArmorEncoderStream(encoded io.Writer, header string, footer string, params ArmorParams) (io.WriteCloser, error)
NewArmorEncoderStream makes a new Armor encoding stream, using the given encoding Pass it an `encoded` stream writer to write the encoded stream to. Also pass a header, and a footer string. It will return an io.WriteCloser on success, that you can write raw (unencoded) data to. An error will be returned if there is trouble writing the header to encoded.
To make the output look pretty, a space is inserted every 15 characters of output, and a newline is inserted every 200 words.
func NewDearmor62DecryptStream ¶
func NewDearmor62DecryptStream(ciphertext io.Reader, kr Keyring) (*MessageKeyInfo, io.Reader, Frame, error)
NewDearmor62DecryptStream makes a new stream that dearmors and decrypts the given Reader stream. Pass it a keyring so that it can lookup private and public keys as necessary
func NewEncryptArmor62Stream ¶
func NewEncryptArmor62Stream(ciphertext io.Writer, sender BoxSecretKey, receivers []BoxPublicKey) (plaintext io.WriteCloser, err error)
NewEncryptArmor62Stream creates a stream that consumes plaintext data. It will write out encrypted data to the io.Writer passed in as ciphertext. The encryption is from the specified sender, and is encrypted for the given receivers.
The ciphertext is additionally armored with the recommended armor62-style format.
Returns an io.WriteCloser that accepts plaintext data to be encrypted; and also returns an error if initialization failed.
func NewEncryptStream ¶
func NewEncryptStream(ciphertext io.Writer, sender BoxSecretKey, receivers []BoxPublicKey) (plaintext io.WriteCloser, err error)
NewEncryptStream creates a stream that consumes plaintext data. It will write out encrypted data to the io.Writer passed in as ciphertext. The encryption is from the specified sender, and is encrypted for the given receivers.
Returns an io.WriteClose that accepts plaintext data to be encrypted; and also returns an error if initialization failed.
func NewSignStream ¶
func NewSignStream(signedtext io.Writer, signer SigningSecretKey) (stream io.WriteCloser, err error)
NewSignStream creates a stream that consumes plaintext data. It will write out signed data to the io.Writer passed in as signedtext. NewSignStream only generates attached signatures.
func PublicKeyEqual ¶
func PublicKeyEqual(pk1, pk2 BoxPublicKey) bool
PublicKeyEqual returns true if the two public keys are equal.
func Seal ¶
func Seal(plaintext []byte, sender BoxSecretKey, receivers []BoxPublicKey) (out []byte, err error)
Seal a plaintext from the given sender, for the specified receiver groups. Returns a ciphertext, or an error if something bad happened.
func SecretKeyEqual ¶
func SecretKeyEqual(sk1, sk2 BoxSecretKey) bool
SecretKeyEqual returns true if the two secret keys are equal.
func Sign ¶
func Sign(plaintext []byte, signer SigningSecretKey) ([]byte, error)
Sign creates an attached signature message of plaintext from signer.
func SignDetached ¶
func SignDetached(plaintext []byte, signer SigningSecretKey) ([]byte, error)
SignDetached returns a detached signature of plaintext from signer.
Types ¶
type ArmorParams ¶
type ArmorParams struct { // BytesPerWord is the number of characters in each "word" of output. // We'll put spaces between words. BytesPerWord int // WordsPerLine is the number of words for each line of output. We'll // put newlines between two subsequent lines of output. WordsPerLine int // Punctuation is the byte inserted after the three "sentences" of // our encoding -- the header, the body and the footer. Punctuation byte // Encoding is the basex encoding to use, including strictness parameters Encoding *basex.Encoding }
ArmorParams specify armor formatting, encoding and punctuation.
type BoxPrecomputedSharedKey ¶
type BoxPrecomputedSharedKey interface {}
BoxPrecomputedSharedKey results from a Precomputation below.
type BoxPublicKey ¶
type BoxPublicKey interface { KIDExtractor // ToRawBoxKeyPointer returns this public key as a *[32]byte, // for use with nacl.box.Seal ToRawBoxKeyPointer() *RawBoxKey // CreateEmphemeralKey creates an ephemeral key of the same type, // but totally random. CreateEphemeralKey() (BoxSecretKey, error) // HideIdentity returns true if we should hide the identity of this // key in our output message format. HideIdentity() bool }
BoxPublicKey is an generic interface to NaCl's public key Box function.
type BoxSecretKey ¶
type BoxSecretKey interface { // Box boxes up data, sent from this secret key, and to the receiver // specified. Box(receiver BoxPublicKey, nonce *Nonce, msg []byte) ([]byte, error) // Unobx opens up the box, using this secret key as the receiver key // abd the give public key as the sender key. Unbox(sender BoxPublicKey, nonce *Nonce, msg []byte) ([]byte, error) // GetPublicKey gets the public key associated with this secret key. GetPublicKey() BoxPublicKey // Precompute computes a DH with the given key Precompute(sender BoxPublicKey) BoxPrecomputedSharedKey }
BoxSecretKey is the secret key corresponding to a BoxPublicKey
type EncryptionBlock ¶
type EncryptionBlock struct { TagCiphertexts [][]byte `codec:"tags"` PayloadCiphertext []byte `codec:"ctext"` // contains filtered or unexported fields }
EncryptionBlock contains a block of encrypted data. It contains the ciphertext, and any necessary authentication Tags.
type EncryptionHeader ¶
type EncryptionHeader struct { FormatName string `codec:"format_name"` Version Version `codec:"vers"` Type MessageType `codec:"type"` Sender []byte `codec:"sender"` Receivers []receiverKeysCiphertexts `codec:"rcvrs"` // contains filtered or unexported fields }
EncryptionHeader is the first packet in an encrypted message. It contains the encryptions of the session keys, and various message metadata.
type ErrBadArmorFooter ¶
type ErrBadArmorFooter struct {
// contains filtered or unexported fields
}
ErrBadArmorFooter shows up when we get the wrong value for our header
func (ErrBadArmorFooter) Error ¶
func (e ErrBadArmorFooter) Error() string
type ErrBadArmorHeader ¶
type ErrBadArmorHeader struct {
// contains filtered or unexported fields
}
ErrBadArmorHeader shows up when we get the wrong value for our header
func (ErrBadArmorHeader) Error ¶
func (e ErrBadArmorHeader) Error() string
type ErrBadCiphertext ¶
type ErrBadCiphertext PacketSeqno
ErrBadCiphertext is generated when decryption fails due to improper authentication. It specifies which Packet sequence number the bad packet was in.
func (ErrBadCiphertext) Error ¶
func (e ErrBadCiphertext) Error() string
type ErrBadTag ¶
type ErrBadTag PacketSeqno
ErrBadTag is generated when a Tag fails to Unbox properly. It specifies which Packet sequence number the bad packet was in.
type ErrBadVersion ¶
type ErrBadVersion struct {
// contains filtered or unexported fields
}
ErrBadVersion is returned if a packet of an unsupported version is found. Current, only Version1 is supported.
func (ErrBadVersion) Error ¶
func (e ErrBadVersion) Error() string
type ErrInvalidParameter ¶
type ErrInvalidParameter struct {
// contains filtered or unexported fields
}
ErrInvalidParameter signifies that a function was called with an invalid parameter.
func (ErrInvalidParameter) Error ¶
func (e ErrInvalidParameter) Error() string
type ErrRepeatedKey ¶
type ErrRepeatedKey []byte
ErrRepeatedKey is produced during encryption if a key is repeated; keys must be unique.
func (ErrRepeatedKey) Error ¶
func (e ErrRepeatedKey) Error() string
type ErrWrongMessageType ¶
type ErrWrongMessageType struct {
// contains filtered or unexported fields
}
ErrWrongMessageType is produced if one packet tag was expected, but a packet of another tag was found.
func (ErrWrongMessageType) Error ¶
func (e ErrWrongMessageType) Error() string
type Frame ¶
type Frame interface { // GetHeader() returns the frame associated with this stream, or an error GetHeader() (string, error) GetFooter() (string, error) }
Frame is a way to read the frame out of a Decoder stream.
func NewArmor62DecoderStream ¶
NewArmor62DecoderStream is used to decode input base62-armoring format. It returns a stream you can read from, and also a Frame you can query to see what the open/close frame markers were.
func NewArmorDecoderStream ¶
NewArmorDecoderStream is used to decode armored encoding. It returns a stream you can read from, and also a Frame you can query to see what the open/close frame markers were.
type KIDExtractor ¶
type KIDExtractor interface { // ToKID outputs the "key ID" that corresponds to this key. // You can do whatever you'd like here, but probably it makes sense just // to output the public key as is. ToKID() []byte }
KIDExtractor key types can output a key ID corresponding to the key.
type Keyring ¶
type Keyring interface { // LookupBoxSecretKey looks in the Keyring for the secret key corresponding // to one of the given Key IDs. Returns the index and the key on success, // or -1 and nil on failure. LookupBoxSecretKey(kids [][]byte) (int, BoxSecretKey) // LookupBoxPublicKey returns a public key given the specified key ID. // For most cases, the key ID will be the key itself. LookupBoxPublicKey(kid []byte) BoxPublicKey // GetAllSecretKeys returns all keys, needed if we want to support // "hidden" receivers via trial and error GetAllSecretKeys() []BoxSecretKey // ImportEphemeralKey imports the ephemeral key into // BoxPublicKey format. This key has never been seen before, so // will be ephemeral. ImportEphemeralKey(kid []byte) BoxPublicKey }
Keyring is an interface used with decryption; it is called to recover public or private keys during the decryption process. Calls can block on network action.
type MessageKeyInfo ¶
type MessageKeyInfo struct { // These fields are cryptographically verified SenderKey BoxPublicKey SenderIsAnon bool ReceiverKey BoxSecretKey ReceiverIsAnon bool // These fields are not cryptographically verified, and are just repeated from what // we saw in the incoming message. NamedReceivers [][]byte NumAnonReceivers int }
MessageKeyInfo conveys all of the data about the keys used in this encrypted message.
func Dearmor62DecryptOpen ¶
func Dearmor62DecryptOpen(ciphertext string, kr Keyring) (*MessageKeyInfo, []byte, error)
Dearmor62DecryptOpen takes an armor62'ed, encrypted ciphertext and attempts to dearmor and decrypt it, using the provided keyring. Checks that the frames in the armor are as expected.
func NewDecryptStream ¶
func NewDecryptStream(r io.Reader, keyring Keyring) (mki *MessageKeyInfo, plaintext io.Reader, err error)
NewDecryptStream starts a streaming decryption. It synchronously ingests and parses the given Reader's encryption header. It consults the passed keyring for the decryption keys needed to decrypt the message. On failure, it returns a null Reader and an error message. On success, it returns a Reader with the plaintext stream, and a nil error. In either case, it will return a `MessageKeyInfo` which tells about who the sender was, and which of the Receiver's keys was used to decrypt the message.
Note that the caller has an opportunity not to ingest the plaintext if he doesn't trust the sender revealed in the MessageKeyInfo.
type MessageType ¶
type MessageType int
MessageType is an int used to describe what "type" of message it is.
const MessageTypeAttachedSignature MessageType = 1
MessageTypeAttachedSignature is a packet type to describe an attached signature.
const MessageTypeDetachedSignature MessageType = 2
MessageTypeDetachedSignature is a packet type to describe a detached signature.
const MessageTypeEncryption MessageType = 0
MessageTypeEncryption is a packet type to describe an encryption message.
type Nonce ¶
type Nonce [24]byte
Nonce is a NaCl-style nonce, with 24 bytes of data, some of which can be counter values, and some of which can be random-ish values.
func NewNonceForEncryption ¶
func NewNonceForEncryption(ephemeralPublicKey BoxPublicKey) *Nonce
NewNonceForEncryption creates a new nonce for the purposes of an encrypted message. It is a deterministic function of the ephemeral public key used for this encrypted message.
**DO NOT** pass a long-live public key here, as you might lose the guarantee that each (nonce,key) pair must be unique over the lifetime of the universe.
func (*Nonce) ForPayloadBox ¶
ForPayloadBox formats this nonce for the ith block of payload.
type NonceType ¶
type NonceType int
NonceType is different for the different type of usages of the nonce.
type PacketSeqno ¶
type PacketSeqno uint64
PacketSeqno is a special int type used to describe which packet in the sequence we're dealing with. The header is always at seqno=0. Other packets follow. Note that there is a distinction between PacketSeqno and EncryptionBlockNumber. In general, the former is one more than the latter.
type PunctuatedReader ¶
type PunctuatedReader struct {
// contains filtered or unexported fields
}
PunctuatedReader is a stream reader that reads until it hits a usual error OR until it hits a punctuation character. In that latter case it returns an `ErrPunctuation` "error" so that way callers can tell the difference between a normal EOF and a "punctuated" EOF.
func NewPunctuatedReader ¶
func NewPunctuatedReader(r io.Reader, p byte) *PunctuatedReader
NewPunctuatedReader returns a new PunctuatedReader given an underlying read stream and a punctuation byte.
func (*PunctuatedReader) Read ¶
func (p *PunctuatedReader) Read(out []byte) (n int, err error)
Read from the PunctuatedReader, potentially returning an `ErrPunctuation` if a punctuation character was found.
func (*PunctuatedReader) ReadUntilPunctuation ¶
func (p *PunctuatedReader) ReadUntilPunctuation(lim int) (res []byte, err error)
ReadUntilPunctuation reads from the stream until it find a desired punctuation byte. If it wasn't found before EOF, it will return io.ErrUnexpectedEOF. If it wasn't found before lim bytes are consumed, then it will return ErrOverflow.
type RawBoxKey ¶
type RawBoxKey [32]byte
RawBoxKey is the raw byte-representation of what a box key should look like --- a static 32-byte buffer
type SigKeyring ¶
type SigKeyring interface { // LookupSigningPublicKey returns a public signing key for the specified key ID. LookupSigningPublicKey(kid []byte) SigningPublicKey }
SigKeyring is an interface used during verification to find the public key for the signer of a message.
type SigNonce ¶
type SigNonce [16]byte
SigNonce is a nonce for signatures.
func NewSigNonce ¶
NewSigNonce creates a SigNonce with random bytes.
type SignatureBlock ¶
type SignatureBlock struct { Signature []byte `codec:"signature"` PayloadChunk []byte `codec:"payload_chunk"` // contains filtered or unexported fields }
SignatureBlock contains a block of signed data.
type SignatureHeader ¶
type SignatureHeader struct { FormatName string `codec:"format_name"` Version Version `codec:"vers"` Type MessageType `codec:"type"` SenderPublic []byte `codec:"sender_public"` Nonce []byte `codec:"nonce"` Signature []byte `codec:"signature,omitempty"` // contains filtered or unexported fields }
SignatureHeader is the first packet in a signed message.
type SigningPublicKey ¶
type SigningPublicKey interface { KIDExtractor // Verify verifies that signature is a valid signature of message for // this public key. Verify(message []byte, signature []byte) error }
SigningPublicKey is a public NaCl key that can verify signatures.
func NewVerifyStream ¶
func NewVerifyStream(r io.Reader, keyring SigKeyring) (skey SigningPublicKey, vs io.Reader, err error)
NewVerifyStream creates a stream that consumes data from reader r. It returns the signer's public key and a reader that only contains verified data. If the signer's key is not in keyring, it will return an error.
func Verify ¶
func Verify(signedMsg []byte, keyring SigKeyring) (skey SigningPublicKey, verifiedMsg []byte, err error)
Verify checks the signature in signedMsg. It returns the signer's public key and a verified message.
func VerifyDetached ¶
func VerifyDetached(message, signature []byte, keyring SigKeyring) (skey SigningPublicKey, err error)
VerifyDetached verifies that signature is a valid signature for message, and that the public key for the signer is in keyring. It returns the signer's public key.
type SigningSecretKey ¶
type SigningSecretKey interface { // Sign signs message with this secret key. Sign(message []byte) ([]byte, error) // PublicKey gets the public key associated with this secret key. PublicKey() SigningPublicKey }
SigningSecretKey is a secret NaCl key that can sign messages.
type SymmetricKey ¶
type SymmetricKey [32]byte
SymmetricKey is a template for a symmetric key, a 32-byte static buffer. Used for both NaCl SecretBox.