gocloud.dev: gocloud.dev/secrets/localsecrets Index | Examples | Files

package localsecrets

import "gocloud.dev/secrets/localsecrets"

Package localsecrets provides a secrets implementation using a locally locally provided symmetric key. Use NewKeeper to construct a *secrets.Keeper.


For secrets.OpenKeeper, localsecrets registers for the scheme "base64key". To customize the URL opener, or for more details on the URL format, see URLOpener. See https://gocloud.dev/concepts/urls/ for background information.


localsecrets does not support any types for As.


ctx := context.Background()

// secrets.OpenKeeper creates a *secrets.Keeper from a URL.
// Using "base64key://", a new random key will be generated.
keeper, err := secrets.OpenKeeper(ctx, "base64key://")
if err != nil {
defer keeper.Close()

// The URL hostname must be a base64-encoded key, of length 32 bytes when decoded.
keeper, err = secrets.OpenKeeper(ctx, "base64key://smGbjm71Nxd1Ig5FS0wj9SlbzAIrnolCz9bQQ6uAhl4=")
if err != nil {
defer keeper.Close()



Package Files



const (
    Scheme = "base64key"

Scheme is the URL scheme localsecrets registers its URLOpener under on secrets.DefaultMux. See the package documentation and/or URLOpener for details.

func Base64Key Uses

func Base64Key(base64str string) ([32]byte, error)

Base64Key takes a secret key as a base64 string and converts it to a [32]byte, erroring if the decoded data is not 32 bytes.

func NewKeeper Uses

func NewKeeper(sk [32]byte) *secrets.Keeper

NewKeeper returns a *secrets.Keeper that uses the given symmetric key. See the package documentation for an example.


// localsecrets.Keeper utilizes the golang.org/x/crypto/nacl/secretbox package
// for the crypto implementation, and secretbox requires a secret key
// that is a [32]byte. localsecrets
secretKey, err := localsecrets.NewRandomKey()
if err != nil {
keeper := localsecrets.NewKeeper(secretKey)
defer keeper.Close()

// Now we can use keeper to encrypt or decrypt.
plaintext := []byte("Hello, Secrets!")
ctx := context.Background()
ciphertext, err := keeper.Encrypt(ctx, plaintext)
if err != nil {
decrypted, err := keeper.Decrypt(ctx, ciphertext)
if err != nil {


Hello, Secrets!

func NewRandomKey Uses

func NewRandomKey() ([32]byte, error)

NewRandomKey will generate random secret key material suitable to be used as the secret key argument to NewKeeper.

type URLOpener Uses

type URLOpener struct{}

URLOpener opens localsecrets URLs like "base64key://smGbjm71Nxd1Ig5FS0wj9SlbzAIrnolCz9bQQ6uAhl4=".

The URL host must be base64 encoded, and must decode to exactly 32 bytes. If the URL host is empty (e.g., "base64key://"), a new random key is generated.

No query parameters are supported.

func (*URLOpener) OpenKeeperURL Uses

func (o *URLOpener) OpenKeeperURL(ctx context.Context, u *url.URL) (*secrets.Keeper, error)

OpenKeeperURL opens Keeper URLs.

Package localsecrets imports 10 packages (graph) and is imported by 1 packages. Updated 2019-05-16. Refresh now. Tools for package owners.