package crypto import ( "crypto/aes" "crypto/cipher" "crypto/rand" "crypto/sha256" "encoding/hex" "errors" "fmt" "io" "os" "strings" ) // ErrNoKey is returned when ENCRYPTION_KEY is not set. var ErrNoKey = errors.New("ENCRYPTION_KEY environment variable is not set") // ErrDecryptFailed wraps any cipher.Open / decoder failure. Callers // upgrading from the silent-fallback pattern (treat-as-plaintext when // decrypt errored) MUST instead surface this — a rotated key would // otherwise silently leak ciphertext to upstream services as if it // were plaintext. var ErrDecryptFailed = errors.New("crypto: decrypt failed (wrong key, corrupted ciphertext, or unversioned legacy value)") // envelopeV1Prefix tags ciphertext produced by Encrypt going forward. // Older databases may carry unprefixed hex blobs from the v0 era; those // are still readable via Decrypt for backward compatibility, but every // new write goes through EncryptV1 and emits the prefix so a future key // rotation has a clean fail-loud signal. const envelopeV1Prefix = "tf1:" // DeriveKey computes a 32-byte AES-256 key from the given passphrase using SHA-256. // This is acceptable when ENCRYPTION_KEY is a high-entropy random string (e.g., 32+ hex chars). // For human-chosen passphrases, consider Argon2id or PBKDF2 with a salt instead. func DeriveKey(passphrase string) [32]byte { return sha256.Sum256([]byte(passphrase)) } // KeyFromEnv reads ENCRYPTION_KEY from the environment and derives a 32-byte key. func KeyFromEnv() ([32]byte, error) { raw := os.Getenv("ENCRYPTION_KEY") if raw == "" { return [32]byte{}, ErrNoKey } if len(raw) < 32 { return [32]byte{}, fmt.Errorf("ENCRYPTION_KEY must be at least 32 characters long (got %d)", len(raw)) } return DeriveKey(raw), nil } // Encrypt encrypts plaintext using AES-256-GCM with a random nonce. // Returns a versioned envelope (tf1:) so downstream readers can // distinguish ciphertext from accidentally-stored plaintext. func Encrypt(key [32]byte, plaintext string) (string, error) { block, err := aes.NewCipher(key[:]) if err != nil { return "", fmt.Errorf("create cipher: %w", err) } gcm, err := cipher.NewGCM(block) if err != nil { return "", fmt.Errorf("create gcm: %w", err) } nonce := make([]byte, gcm.NonceSize()) if _, err := io.ReadFull(rand.Reader, nonce); err != nil { return "", fmt.Errorf("generate nonce: %w", err) } sealed := gcm.Seal(nonce, nonce, []byte(plaintext), nil) return envelopeV1Prefix + hex.EncodeToString(sealed), nil } // HasEnvelope reports whether the value is a v1-prefixed ciphertext. // Useful for router-level "decrypt only if encrypted" decision points // that previously relied on `err == nil` from a try-decrypt — that // pattern silently masked rotated-key failures. func HasEnvelope(value string) bool { return strings.HasPrefix(value, envelopeV1Prefix) } // Decrypt decrypts an envelope (tf1:). For backward compatibility // it also accepts unprefixed hex from the v0 era — but only when the // resulting plaintext is valid; a wrong key for legacy data now returns // ErrDecryptFailed instead of silently treating ciphertext as // plaintext. // // Callers MUST NOT swallow the error and fall back to "use as-is". // That pattern is the exact footgun the envelope versioning removes. func Decrypt(key [32]byte, ciphertext string) (string, error) { hexBlob := ciphertext if strings.HasPrefix(hexBlob, envelopeV1Prefix) { hexBlob = hexBlob[len(envelopeV1Prefix):] } data, err := hex.DecodeString(hexBlob) if err != nil { return "", fmt.Errorf("%w: decode hex: %v", ErrDecryptFailed, err) } block, err := aes.NewCipher(key[:]) if err != nil { return "", fmt.Errorf("create cipher: %w", err) } gcm, err := cipher.NewGCM(block) if err != nil { return "", fmt.Errorf("create gcm: %w", err) } nonceSize := gcm.NonceSize() if len(data) < nonceSize { return "", fmt.Errorf("%w: ciphertext too short", ErrDecryptFailed) } nonce := data[:nonceSize] body := data[nonceSize:] plaintext, err := gcm.Open(nil, nonce, body, nil) if err != nil { return "", fmt.Errorf("%w: %v", ErrDecryptFailed, err) } return string(plaintext), nil } // EncryptIfNotEmpty encrypts the value only if it is non-empty. // Returns empty string for empty input. func EncryptIfNotEmpty(key [32]byte, value string) (string, error) { if value == "" { return "", nil } return Encrypt(key, value) }