// UnmarshalSecretStore decrypts and parses the secret store contained // in the input byte slice. func UnmarshalSecretStore(in, passphrase []byte, m secret.ScryptMode) (*SecretStore, bool) { if len(in) < saltSize { return nil, false } salt := in[:saltSize] enc := in[saltSize:] key := secret.DeriveKeyStrength(passphrase, salt, m) if key == nil { return nil, false } defer util.Zero(key[:]) data, ok := secret.Decrypt(key, enc) if !ok { util.Errorf("decrypt fails") return nil, false } defer util.Zero(data) var store SecretStore err := json.Unmarshal(data, &store) if err != nil { util.Errorf("encrypt fails") return nil, false } store.passphrase = make([]byte, len(passphrase)) copy(store.passphrase, passphrase) return &store, true }
// MarshalSecretStore serialises and encrypts the data store to a byte // slice suitable for writing to disk. func MarshalSecretStore(s *SecretStore, m secret.ScryptMode) ([]byte, bool) { if !s.Valid() { return nil, false } out, err := json.Marshal(s) if err != nil { return nil, false } defer util.Zero(out) salt := util.RandBytes(saltSize) if salt == nil { return nil, false } key := secret.DeriveKeyStrength(s.passphrase, salt, m) if key == nil { return nil, false } defer util.Zero(key[:]) enc, ok := secret.Encrypt(key, out) if !ok { return nil, false } defer s.Zero() enc = append(salt, enc...) return enc, true }