Documentation
¶
Overview ¶
Package crypto provides AES-256-GCM encryption for the scratchpad.
The key is a 256-bit random value stored as a raw file. The nonce is 12 bytes of random data prepended to the ciphertext. Each write re-encrypts the entire file.
Package crypto provides AES-256-GCM encryption and decryption for the scratchpad.
Index ¶
- func Decrypt(key, ciphertext []byte) ([]byte, error)
- func Encrypt(key, plaintext []byte) ([]byte, error)
- func ExpandHome(path string) string
- func GenerateKey() ([]byte, error)
- func GlobalKeyPath() string
- func LoadKey(path string) ([]byte, error)
- func ResolveKeyPath(contextDir, overridePath string) string
- func SaveKey(path string, key []byte) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Decrypt ¶
Decrypt decrypts AES-256-GCM ciphertext produced by Encrypt.
Parameters:
- key: 32-byte AES-256 key (must match the key used for encryption)
- ciphertext: Nonce-prefixed ciphertext as produced by Encrypt
Returns:
- []byte: Decrypted plaintext
- error: Non-nil if key is wrong, ciphertext is too short, or authentication fails
func Encrypt ¶
Encrypt encrypts plaintext with AES-256-GCM.
The returned ciphertext is formatted as:
[12-byte nonce][ciphertext + 16-byte GCM tag]
Parameters:
- key: 32-byte AES-256 key
- plaintext: Data to encrypt
Returns:
- []byte: Nonce-prefixed ciphertext
- error: Non-nil if the key is the wrong size or encryption fails
func ExpandHome ¶ added in v0.8.0
ExpandHome expands a leading ~/ prefix to the user's home directory.
If the path does not start with "~/", it is returned unchanged. If the home directory cannot be determined, the path is returned unchanged.
Parameters:
- path: File path that may contain a leading ~/
Returns:
- string: Path with ~/ expanded to the home directory
func GenerateKey ¶
GenerateKey returns a new 256-bit random key.
Returns:
- []byte: A 32-byte random key
- error: Non-nil if the system random source fails
func GlobalKeyPath ¶ added in v0.8.0
func GlobalKeyPath() string
GlobalKeyPath returns the global encryption key path.
Returns ~/.ctx/.ctx.key using os.UserHomeDir. Returns an empty string if the home directory cannot be determined.
func LoadKey ¶
LoadKey reads a 32-byte key from a file.
Parameters:
- path: Path to the key file
Returns:
- []byte: The 32-byte key
- error: Non-nil if the file cannot be read or is not exactly 32 bytes
func ResolveKeyPath ¶ added in v0.8.0
ResolveKeyPath determines the effective key file path.
Resolution order:
- overridePath if non-empty (explicit .ctxrc key_path, with tilde expansion)
- Project-local path if it exists (<contextDir>/.ctx.key)
- Global default (~/.ctx/.ctx.key)
- Project-local path as fallback (when home dir unavailable)
Parameters:
- contextDir: The .context/ directory path
- overridePath: Explicit key path from .ctxrc (may be empty)
Returns:
- string: The resolved key file path
Types ¶
This section is empty.
Source Files