{"id":29104550,"url":"https://github.com/opencoff/ebolt","last_synced_at":"2025-06-29T00:05:53.430Z","repository":{"id":290309879,"uuid":"973968471","full_name":"opencoff/ebolt","owner":"opencoff","description":"Encrypted bolt db wrapper with heirarchical keys","archived":false,"fork":false,"pushed_at":"2025-05-06T18:20:52.000Z","size":23,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-06T19:39:44.517Z","etag":null,"topics":["aes-gcm","boltdb","encryption","encryption-decryption","golang-db","golang-library","sha3"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/opencoff.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-04-28T04:06:25.000Z","updated_at":"2025-05-06T18:20:56.000Z","dependencies_parsed_at":null,"dependency_job_id":"51aa4437-b6b5-4a49-87d6-d6fafc2a9022","html_url":"https://github.com/opencoff/ebolt","commit_stats":null,"previous_names":["opencoff/ebolt"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/opencoff/ebolt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opencoff%2Febolt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opencoff%2Febolt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opencoff%2Febolt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opencoff%2Febolt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/opencoff","download_url":"https://codeload.github.com/opencoff/ebolt/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opencoff%2Febolt/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262514196,"owners_count":23322697,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aes-gcm","boltdb","encryption","encryption-decryption","golang-db","golang-library","sha3"],"created_at":"2025-06-29T00:05:50.720Z","updated_at":"2025-06-29T00:05:53.412Z","avatar_url":"https://github.com/opencoff.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ebolt\nA secure, encrypted wrapper over [bbolt](https://github.com/etcd-io/bbolt) providing hierarchical key-value storage\nwith transparent encryption capabilities.\n\n## Features\n\n- **Hierarchical Path Structure**: Use intuitive paths like \"users/profiles/john\"\n  with automatic bucket creation for the key/value pairs.\n- **Transparent Encryption**: All keys \u0026 values are encrypted and decrypted with\n   AES-256-GCM.\n- **Key Obfuscation**: The DB path segments are individually encrypted.\n- **Transaction Support**: Full atomic operations with commit/rollback capabilities.\n- **Backup Support**: Live, encrypted database backups without interrupting service.\n- **Cross-Platform**: Works on Linux, macOS, and Windows.\n\n## Installation\n\n```bash\ngo get github.com/opencoff/ebolt\n```\n\n## Overview\n\nEbolt enhances the popular bbolt key-value store by adding:\n\n1. **Encryption Layer**: All stored keys \u0026 values are encrypted before writing and decrypted when read\n2. **Path-Based Access**: Keys are specified as paths (e.g., \"users/settings/theme\") where\n   intermediate components become buckets\n3. **Auto-Vivification**: Intermediate buckets are automatically created when setting values\n4. **Simple API**: Simple API to get/set, query\n\nThis library is ideal for applications that need to store sensitive data while maintaining the performance\nand simplicity of bbolt.\n\n## Usage Examples\n\n### Basic Operations\n\n```go\npackage main\n\nimport (\n    \"fmt\"\n    \"log\"\n\n    \"github.com/opencoff/ebolt\"\n    \"github.com/opencoff/go-utils\"\n)\n\nfunc main() {\n    pw, err := utils.Askpass(\"Enter DB Password\", true)\n    if err != nil {\n        log.Fatal(err)\n    }\n\n    // This is just an example. For production uses, you\n    // must use a strong KDF like Argon2i to derive a\n    // key from the user's passphrase.\n\n    // Open or create an encrypted database\n    db, err := ebolt.Open(\"users.db\", []byte(pw), nil)\n    if err != nil {\n        log.Fatalf(\"Failed to open database: %v\", err)\n    }\n    defer db.Close()\n\n    // Store values with hierarchical paths (buckets auto-created)\n    if err := db.Set(\"app/settings/theme\", []byte(\"dark\")); err != nil {\n        log.Fatalf(\"Failed to set theme: %v\", err)\n    }\n    \n    if err := db.Set(\"app/settings/language\", []byte(\"en-US\")); err != nil {\n        log.Fatalf(\"Failed to set language: %v\", err)\n    }\n\n    // Retrieve a specific value\n    theme, err := db.Get(\"app/settings/theme\")\n    if err != nil {\n        log.Fatalf(\"Failed to get theme: %v\", err)\n    }\n    fmt.Printf(\"Theme: %s\\n\", theme)\n\n    // Get all settings\n    settings, err := db.All(\"app/settings\")\n    if err != nil {\n        log.Fatalf(\"Failed to get settings: %v\", err)\n    }\n\n    fmt.Println(\"All settings:\")\n    for k, v := range settings {\n        fmt.Printf(\"  %s: %s\\n\", k, v)\n    }\n}\n```\n\n### Using Transactions\n\n```go\npackage main\n\nimport (\n    \"fmt\"\n    \"log\"\n\n    \"github.com/opencoff/ebolt\"\n    \"github.com/opencoff/go-utils\"\n)\n\nfunc main() {\n    pw, err := utils.Askpass(\"Enter DB Password\", true)\n    if err != nil {\n        log.Fatal(err)\n    }\n\n    // This is just an example. For production uses, you\n    // must use a strong KDF like Argon2i to derive a\n    // key from the user's passphrase.\n\n    db, err := ebolt.Open(\"users.db\", []byte(pw), nil)\n    if err != nil {\n        log.Fatal(err)\n    }\n    defer db.Close()\n\n    // Start a writable transaction\n    tx, err := db.BeginTransaction(true)\n    if err != nil {\n        log.Fatal(err)\n    }\n\n    // Set multiple values atomically\n    err = tx.SetMany([]ebolt.KV{\n        {Key: \"users/1001/name\", Val: []byte(\"Alice Smith\")},\n        {Key: \"users/1001/email\", Val: []byte(\"alice@example.com\")},\n        {Key: \"users/1001/role\", Val: []byte(\"admin\")},\n    })\n\n    if err != nil {\n        tx.Rollback()\n        log.Fatalf(\"Transaction failed: %v\", err)\n    }\n\n    // Commit changes\n    if err = tx.Commit(); err != nil {\n        log.Fatalf(\"Commit failed: %v\", err)\n    }\n\n    // Read the data back\n    name, _ := db.Get(\"users/1001/name\")\n    fmt.Printf(\"User name: %s\\n\", name)\n\n    // Get all keys in a bucket\n    keys, err := db.AllKeys(\"users/1001\")\n    if err != nil {\n        log.Fatal(err)\n    }\n\n    fmt.Println(\"User profile fields:\")\n    for _, key := range keys {\n        fmt.Printf(\"  - %s\\n\", key)\n    }\n}\n```\n\n### Database Backup\n\n```go\npackage main\n\nimport (\n    \"log\"\n    \"os\"\n    \"time\"\n\n    \"github.com/opencoff/ebolt\"\n    \"github.com/opencoff/go-utils\"\n)\n\nfunc main() {\n    pw, err := utils.Askpass(\"Enter DB Password\", true)\n    if err != nil {\n        log.Fatal(err)\n    }\n\n    // This is just an example. For production uses, you\n    // must use a strong KDF like Argon2i to derive a\n    // key from the user's passphrase.\n\n    // Open the database\n    db, err := ebolt.Open(\"production.db\", []byte(pw), nil)\n    if err != nil {\n        log.Fatal(err)\n    }\n    defer db.Close()\n\n    // Create a backup file\n    backupFile, err := os.Create(\"backup-\" + time.Now().Format(\"20060102\") + \".db\")\n    if err != nil {\n        log.Fatal(err)\n    }\n    defer backupFile.Close()\n\n    // Perform live backup\n    bytes, err := db.Backup(backupFile)\n    if err != nil {\n        log.Fatal(err)\n    }\n\n    log.Printf(\"Backup completed successfully: %d bytes written\", bytes)\n}\n```\n\n## Interface Documentation\n\n### Types and Interfaces\n\n```go\n// KV represents a key-value pair for storage operations\ntype KV struct {\n    Key string\n    Val []byte\n}\n\n// Ops interface defines the core operations for the encrypted database\ntype Ops interface {\n    // Get retrieves and decrypts the value stored at the specified path.\n    // The path format \"a/b/name\" is interpreted where intermediate components\n    // are buckets and the final component is the key.\n    Get(p string) ([]byte, error)\n    \n    // Set encrypts and stores a value at the specified path, automatically\n    // creating any intermediate buckets as needed. The leaf component of the\n    // path is obfuscated while bucket names remain in plaintext.\n    Set(p string, v []byte) error\n\n    // SetMany encrypts and stores multiple key-value pairs. Each key follows\n    // the path format with automatic bucket creation.\n    SetMany(v []KV) error\n\n    // Del removes the encrypted value at the specified path.\n    Del(p string) error\n\n    // DelMany deletes multiple keys in a single transaction.\n    // Each path is processed according to the hierarchical bucket structure.\n    DelMany(v []string) error\n\n    // All retrieves all entries within a given bucket path, returning a map\n    // of decrypted key-value pairs. The keys in the map are the original \n    // unobfuscated keys (including their full path).\n    All(p string) (map[string][]byte, error)\n    \n    // AllKeys returns all keys within a given bucket path without\n    // retrieving their values. The returned keys are the original\n    // unobfuscated keys (including their full path).\n    AllKeys(p string) ([]string, error)\n    \n    // Dir returns all sub-buckets under the specified path without\n    // retrieving individual key-value pairs. In boltdb terminology,\n    // this returns all sub-buckets of a bucket.\n    Dir(p string) ([][]byte, error)\n}\n\n// DB interface extends Ops with database management functionality\ntype DB interface {\n    // Ops embeds all operations from the Ops interface\n    Ops\n    \n    // Close finalizes all transactions and releases database resources.\n    Close() error\n    \n    // BeginTransaction starts a new transaction that can be either read-only\n    // or read-write. Multiple read-only transactions can run concurrently,\n    // but write transactions are exclusive.\n    BeginTransaction(writable bool) (Tx, error)\n    \n    // Backup performs a live backup of the encrypted database to the provided\n    // io.Writer, returning the number of bytes written. The database remains\n    // usable during the backup process.\n    Backup(wr io.Writer) (int64, error)\n}\n\n// Tx interface represents an active transaction\ntype Tx interface {\n    // Ops embeds all operations from the Ops interface\n    Ops\n    \n    // Commit persists all changes made within this transaction to the database.\n    // After calling Commit, the transaction is no longer usable.\n    Commit() error\n    \n    // Rollback discards all changes made within this transaction.\n    // After calling Rollback, the transaction is no longer usable.\n    Rollback() error\n}\n```\n\n### Database Encryption Keys\nIf your db encryption key is already part of some KMS regime or a previous HKDF-like key\nexpansion, then it's safe to use with `ebolt.Open()`.\n\nPlease DO NOT use string passwords as the input to \"ebolt.Open()\". This is a terrible idea.\nConsult your favorite cryptographer to safely convert a string passphrase into usable\nkey material. I tend to use the following construct to generate a 32-byte key.\n\n```\n    salt = randombytes(32)\n    key  = argon2id(32, passphrase, salt, Time, Mem, Par)\n```\nOf course, one has to store \"salt\" safely in some place. And choose \"Time\", \"Mem\", \"Par\" to\naccount for your security needs.\n\n## Implementation Notes\n\n- The encryption is applied only to the values stored in the database, not to the database\n  file itself.\n- Only leaf keys are obfuscated, keeping bucket names readable for easier debugging and navigation.\n- Performance impact of encryption is expected to be minimal for most use cases.\n\n### Cryptography\n`cipher.go` implements the necessary cryptography. The user provided key is expanded with domain\nseparation into two keys and a nonce. Each of the keys is used to construct an AEAD for keys and\nvalues respectively. Each segment of the path is encrypted with a common nonce, while the values\nall get unique, random nonces. In pseudo code:\n\n```\n    keymat = HKDF-expand(master_key, \"AES Keys and Nonce\")\n    key_k, keymat = keymat[:32], keymat[32:]\n    val_k, keymat = keymat[:32], keymat[32:]\n    nonce = keymat\n\n    key_cipher = aes_256_GCM(key_k)\n    val_cipher = aes_256_GCM(val_k)\n```\n\n\n## Related Projects\n\n- [go-logger](https://github.com/opencoff/go-logger) - Simple logging library\n- [go-fio](https://github.com/opencoff/go-fio) - Cross-platform file I/O utilities with support for\n  concurrent file tree walking and directory tree comparison\n\n## License\n\nMIT License\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopencoff%2Febolt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopencoff%2Febolt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopencoff%2Febolt/lists"}