Encryption

Package tlock provides an API for encrypting/decrypting data using drand time lock encryption. This allows data to be encrypted and only decrypted in the future.

Package ntlmssp provides NTLM/Negotiate authentication over HTTP Protocol details from https://msdn.microsoft.com/en-us/library/cc236621.aspx, implementation hints from http://davenport.sourceforge.net/ntlm.html . This package only implements authentication, no key exchange or encryption. It only supports Unicode (UTF16LE) encoding of protocol strings, no OEM encoding. This package implements NTLMv2.

Package srp Secure Remote Password protocol The principal interface provided by this package is the SRP type. The end aim of the caller is to to have an SRP server and SRP client arrive at the same key. See the documentation for the SRP structure and its methods for the nitty gritty of use. BUG(jpg): This does not use the same padding and hashing scheme as in RFC 5054, and therefore is not interoperable with those clients and servers. Perhaps someday we'll add an RFC 5054 mode that does that, but today is not that day. It would be nice if this package could be used without having some understanding of the SRP protocol, but too much of the language and naming depends on at least some familiarity. Here is a summary. The Secure Remote Password protocol involves a server and a client proving to each other that they know (or can derive) their long term secrets. The client's long term secret is known as "x" and the corresponding server secret, the verifier, is known as "v". The verifier is mathematically related to x and is computed by the client on first enrollment and transmitted to the server. Typically the server will store the verifier and the client will derive x from a user secret such as a password. Because the verifier can used like a password hash with respect to cracking, the derivation of x should be designed to resist password cracking if the verifier is compromised. The client and the server must both use the same Diffie-Hellman group to perform their computations. The server and the client each send an ephemeral public key to each other. (The client sends A; the server sends B.) With their private knowledge of their own ephemeral secrets (a or b) and their private knowledge of x (for the client) and v (for the server) along with public knowledge they are able to prove to each other that they know their respective secrets and can generate a session key, K, which may be used for further encryption during the session. Quoting from http://srp.stanford.edu/design.html (with some modification for KDF and and checks) This package does not address the actual communication between client and server. But through the SRP type it not only performs the calculations needed, it also performs safety and sanity checks on its input, and it hides everything from the caller except what the caller absolutely needs to provide. The key derivation function, KDF() 1. Both client and server: Checking whether methods have returned without error. This is particularly true of SRP.Key() and SetOthersPublic() 2. Client: Using an appropriate key derivation function for deriving x from the user's password (and nudging user toward a good password) 3. Server: Storing the v securely (sent by the client on first enrollment). A captured v can be used to impersonate the server. The verifier, v, can also be used like a password hash in a password cracking attempt 4. Both: Proving to each other that both have the same key. The package includes methods that can assist with that. ExampleServerClientKey is an example.

Package beanstalk provides a beanstalk client. The Producer is used to put jobs into tubes. It provides a connection pool: Putting a job in a tube is done by calling Put, which will select a random connection for its operation: If a Put operation fails on a connection, another connection in the pool will be selected for a retry. The Consumer is used to reserve jobs from tubes. It provides a connection pool: The ratio of Multiply and NumGoroutines is important. Multiply determines the size of the connection pool and NumGoroutines determines how many reserved jobs you have in-flight. If you have a limited number of connections, but a high number of reserved jobs in-flight, your TCP connection pool might experience congestion and your processing speed will suffer. Although the ratio depends on the speed by which jobs are processed, a good rule of thumb is 1:10. Reserve jobs from the tubes specified in NewConsumer is done by calling Receive, which will reserve jobs on any of the connections in the pool: If the context passed to Receive is cancelled, Receive will finish processing the jobs it has reserved before returning. When Receive offers a job the goroutine is responsible for processing that job and finishing it up. A job can either be deleted, released or buried: If the Producer and Consumer abstractions are too high, then Conn provides the lower level abstraction of a single connection to a beanstalk server: The Config structure offers hooks for info and error logs that allows hooking in to a custom log solution. NewProducer, NewConsumer and Dial take a URI or a list of URIs as their first argument, who can be described in various formats. In the above examples the beanstalk server was referenced by the host:port notation. This package also supports URI formats like beanstalk:// for a plaintext connection, and beanstalks:// or tls:// for encrypted connections. In the case of encrypted connections, if no port has been specified it will default to port 11400 as opposed to the default 11300 port.

Package age implements file encryption according to the age-encryption.org/v1 specification. For most use cases, use the Encrypt and Decrypt functions with X25519Recipient and X25519Identity. If passphrase encryption is required, use ScryptRecipient and ScryptIdentity. For compatibility with existing SSH keys use the filippo.io/age/agessh package. age encrypted files are binary and not malleable. For encoding them as text, use the filippo.io/age/armor package. age does not have a global keyring. Instead, since age keys are small, textual, and cheap, you are encouraged to generate dedicated keys for each task and application. Recipient public keys can be passed around as command line flags and in config files, while secret keys should be stored in dedicated files, through secret management systems, or as environment variables. There is no default path for age keys. Instead, they should be stored at application-specific paths. The CLI supports files where private keys are listed one per line, ignoring empty lines and lines starting with "#". These files can be parsed with ParseIdentities. When integrating age into a new system, it's recommended that you only support X25519 keys, and not SSH keys. The latter are supported for manual encryption operations. If you need to tie into existing key management infrastructure, you might want to consider implementing your own Recipient and Identity. Files encrypted with a stable version (not alpha, beta, or release candidate) of age, or with any v1.0.0 beta or release candidate, will decrypt with any later versions of the v1 API. This might change in v2, in which case v1 will be maintained with security fixes for compatibility with older files. If decrypting an older file poses a security risk, doing so might require an explicit opt-in in the API.

Package stream is a Golang library that transforms any net.Conn or io.ReadWriter stream to an encrypted and/or authenticated stream. 1. The encrypted stream implements net.Conn and io.ReadWriter and can be used as drop-in replacement. 2. Works with any encryption, authentication, or authenticated encryption algorithm or even arbitrary transformation. Only a cipher that implements encrypt/decrypt needs to be provided. XSalsa20-Poly1305 and AES-GCM are provided as reference cipher. 3. The encrypted stream only adds a small constant memory overhead compared to the original stream. Note: this library does not handle handshake or key exchange. Handshake should be done separately before using this library to compute a shared key.

Package sessions provides a minimalist and lightweight HTTP session cookie implementation for Go. Session cookies are encrypted and authenticated using nacl/secretbox. Example usage:

Package sqlite3 provides interface to SQLite3 databases. This works as a driver for database/sql. Installation Currently, go-sqlite3 supports the following data types. You can write your own extension module for sqlite3. For example, below is an extension for a Regexp matcher operation. It needs to be built as a so/dll shared library. And you need to register the extension module like below. Then, you can use this extension. You can hook and inject your code when the connection is established. database/sql doesn't provide a way to get native go-sqlite3 interfaces. So if you want, you need to set ConnectHook and get the SQLiteConn. If you want to register Go functions as SQLite extension functions, call RegisterFunction from ConnectHook. See the documentation of RegisterFunc for more details.

Package alloydbconn provides functions for authorizing and encrypting connections. These functions can be used with a database driver to connect to an AlloyDB cluster. To start working with this package, create a Dialer. There are two ways of creating a Dialer, which one you use depends on your database driver. Users have the option of using the database/sql interface or using pgx directly. To use a dialer with pgx, we recommend using connection pooling with pgxpool. To create the dialer use the NewDialer func. To use database/sql, call pgxv4.RegisterDriver with any necessary Dialer configuration.

Package props implements handling of property lists and files. It is fully compatible with the Java property file format and also provides additional features such as property expansion, configuration by convention, and encryption for use as application configuration. See the cmd dir for a helper application to encrypt and decrypt properties in files.

Package kms provides the client and types for making API requests to AWS Key Management Service. AWS Key Management Service (AWS KMS) is an encryption and key management web service. This guide describes the AWS KMS operations that you can call programmatically. For general information about AWS KMS, see the AWS Key Management Service Developer Guide (http://docs.aws.amazon.com/kms/latest/developerguide/). AWS provides SDKs that consist of libraries and sample code for various programming languages and platforms (Java, Ruby, .Net, iOS, Android, etc.). The SDKs provide a convenient way to create programmatic access to AWS KMS and other AWS services. For example, the SDKs take care of tasks such as signing requests (see below), managing errors, and retrying requests automatically. For more information about the AWS SDKs, including how to download and install them, see Tools for Amazon Web Services (http://aws.amazon.com/tools/). We recommend that you use the AWS SDKs to make programmatic API calls to AWS KMS. Clients must support TLS (Transport Layer Security) 1.0. We recommend TLS 1.2. Clients must also support cipher suites with Perfect Forward Secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support these modes. Requests must be signed by using an access key ID and a secret access key. We strongly recommend that you do not use your AWS account (root) access key ID and secret key for everyday work with AWS KMS. Instead, use the access key ID and secret access key for an IAM user, or you can use the AWS Security Token Service to generate temporary security credentials that you can use to sign requests. All AWS KMS operations require Signature Version 4 (http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html). AWS KMS supports AWS CloudTrail, a service that logs AWS API calls and related events for your AWS account and delivers them to an Amazon S3 bucket that you specify. By using the information collected by CloudTrail, you can determine what requests were made to AWS KMS, who made the request, when it was made, and so on. To learn more about CloudTrail, including how to turn it on and find your log files, see the AWS CloudTrail User Guide (http://docs.aws.amazon.com/awscloudtrail/latest/userguide/). For more information about credentials and request signing, see the following: AWS Security Credentials (http://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html) This topic provides general information about the types of credentials used for accessing AWS. Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) This section of the IAM User Guide describes how to create and use temporary security credentials. Signature Version 4 Signing Process (http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) This set of topics walks you through the process of signing a request using an access key ID and a secret access key. Of the APIs discussed in this guide, the following will prove the most useful for most applications. You will likely perform actions other than these, such as creating keys and assigning policies, by using the console. Encrypt Decrypt GenerateDataKey GenerateDataKeyWithoutPlaintext See https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01 for more information on this service. See kms package documentation for more information. https://docs.aws.amazon.com/sdk-for-go/api/service/kms/ To AWS Key Management Service with the SDK use the New function to create a new service client. With that client you can make API requests to the service. These clients are safe to use concurrently. See the SDK's documentation for more information on how to use the SDK. https://docs.aws.amazon.com/sdk-for-go/api/ See aws.Config documentation for more information on configuring SDK clients. https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config See the AWS Key Management Service client KMS for more information on creating client for this service. https://docs.aws.amazon.com/sdk-for-go/api/service/kms/#New

Package s3 provides the client and types for making API requests to Amazon Simple Storage Service. See https://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01 for more information on this service. See s3 package documentation for more information. https://docs.aws.amazon.com/sdk-for-go/api/service/s3/ To Amazon Simple Storage Service with the SDK use the New function to create a new service client. With that client you can make API requests to the service. These clients are safe to use concurrently. See the SDK's documentation for more information on how to use the SDK. https://docs.aws.amazon.com/sdk-for-go/api/ See aws.Config documentation for more information on configuring SDK clients. https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config See the Amazon Simple Storage Service client S3 for more information on creating client for this service. https://docs.aws.amazon.com/sdk-for-go/api/service/s3/#New The s3manager package's Uploader provides concurrent upload of content to S3 by taking advantage of S3's Multipart APIs. The Uploader also supports both io.Reader for streaming uploads, and will also take advantage of io.ReadSeeker for optimizations if the Body satisfies that type. Once the Uploader instance is created you can call Upload concurrently from multiple goroutines safely. See the s3manager package's Uploader type documentation for more information. https://docs.aws.amazon.com/sdk-for-go/api/service/s3/s3manager/#Uploader The s3manager package's Downloader provides concurrently downloading of Objects from S3. The Downloader will write S3 Object content with an io.WriterAt. Once the Downloader instance is created you can call Upload concurrently from multiple goroutines safely. See the s3manager package's Downloader type documentation for more information. https://docs.aws.amazon.com/sdk-for-go/api/service/s3/s3manager/#Downloader GetBucketRegion will attempt to get the region for a bucket using a region hint to determine which AWS partition to perform the query on. Use this utility to determine the region a bucket is in. See the s3manager package's GetBucketRegion function documentation for more information https://docs.aws.amazon.com/sdk-for-go/api/service/s3/s3manager/#GetBucketRegion The s3crypto package provides the tools to upload and download encrypted content from S3. The Encryption and Decryption clients can be used concurrently once the client is created. See the s3crypto package documentation for more information. https://docs.aws.amazon.com/sdk-for-go/api/service/s3/s3crypto/

Package s3 provides the client and types for making API requests to Amazon Simple Storage Service. See https://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01 for more information on this service. See s3 package documentation for more information. https://docs.aws.amazon.com/sdk-for-go/api/service/s3/ To Amazon Simple Storage Service with the SDK use the New function to create a new service client. With that client you can make API requests to the service. These clients are safe to use concurrently. See the SDK's documentation for more information on how to use the SDK. https://docs.aws.amazon.com/sdk-for-go/api/ See aws.Config documentation for more information on configuring SDK clients. https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config See the Amazon Simple Storage Service client S3 for more information on creating client for this service. https://docs.aws.amazon.com/sdk-for-go/api/service/s3/#New The s3manager package's Uploader provides concurrent upload of content to S3 by taking advantage of S3's Multipart APIs. The Uploader also supports both io.Reader for streaming uploads, and will also take advantage of io.ReadSeeker for optimizations if the Body satisfies that type. Once the Uploader instance is created you can call Upload concurrently from multiple goroutines safely. See the s3manager package's Uploader type documentation for more information. https://docs.aws.amazon.com/sdk-for-go/api/service/s3/s3manager/#Uploader The s3manager package's Downloader provides concurrently downloading of Objects from S3. The Downloader will write S3 Object content with an io.WriterAt. Once the Downloader instance is created you can call Upload concurrently from multiple goroutines safely. See the s3manager package's Downloader type documentation for more information. https://docs.aws.amazon.com/sdk-for-go/api/service/s3/s3manager/#Downloader GetBucketRegion will attempt to get the region for a bucket using a region hint to determine which AWS partition to perform the query on. Use this utility to determine the region a bucket is in. See the s3manager package's GetBucketRegion function documentation for more information https://docs.aws.amazon.com/sdk-for-go/api/service/s3/s3manager/#GetBucketRegion The s3crypto package provides the tools to upload and download encrypted content from S3. The Encryption and Decryption clients can be used concurrently once the client is created. See the s3crypto package documentation for more information. https://docs.aws.amazon.com/sdk-for-go/api/service/s3/s3crypto/

Package dns provides net.Resolver instances implementing caching, opportunistic encryption, and DNS over TLS/HTTPS. To replace the net.DefaultResolver with a caching DNS over HTTPS instance using the Google Public DNS resolver: