cryptval
helps to encrypt and decrypt database values in Go by implementing the database/sql/.Scanner
and
database/sql/driver.Valuer
interfaces.
It's goal is to encrypt only a single or a few database fields, such as OAuth tokens for a user, or other sensitive information. I.e. it's not suitable to store all contents encrypted.
The ciphertext is stored in the database and is base64 encoded, therefore the column's data type must be able to store
this, such as TEXT
.
The cryptography is copied from https://github.com/gtank/cryptopasta and has the issue outlined: gtank/cryptopasta#14
go get -u github.com/bradleyfalzon/cryptval
key := []byte{0x4f, 0x25, 0xcc, 0xf0, 0xcb, 0x5d, 0xc6, 0x7a, 0x26, 0x1f, 0x13, 0xc4, 0x72, 0x9d, 0x54, 0xc9, 0x9a, 0x9e, 0xfd, 0xf1, 0x6a, 0xe9, 0x45, 0x7f, 0x2e, 0x33, 0xfe, 0xca, 0x80, 0x71, 0x6d, 0x79}
plaintext := []byte("some-secret")
secret := cryptval.New(cryptval.NewGCM256(key)).EncryptBytes(plaintext)
_, err = db.Exec("INSERT INTO cv (secret) VALUES (?)", secret)
if err != nil {
log.Fatalln("unexpected error:", err)
}
key := []byte{0x4f, 0x25, 0xcc, 0xf0, 0xcb, 0x5d, 0xc6, 0x7a, 0x26, 0x1f, 0x13, 0xc4, 0x72, 0x9d, 0x54, 0xc9, 0x9a, 0x9e, 0xfd, 0xf1, 0x6a, 0xe9, 0x45, 0x7f, 0x2e, 0x33, 0xfe, 0xca, 0x80, 0x71, 0x6d, 0x79}
secret := cryptval.New(cryptval.NewGCM256(key))
err := db.QueryRow("SELECT name FROM cv").Scan(name)
if err != nil {
log.Fatalln("unexpected error:", err)
}
log.Println("secret (plaintext):", secret)