{"id":19273750,"url":"https://github.com/thisdougb/go-fsvault","last_synced_at":"2026-01-02T01:08:37.952Z","repository":{"id":220985197,"uuid":"753140643","full_name":"thisdougb/go-fsvault","owner":"thisdougb","description":"Easy to use filesystem datastore, with encryption, for Go","archived":false,"fork":false,"pushed_at":"2024-05-10T13:09:06.000Z","size":59,"stargazers_count":3,"open_issues_count":2,"forks_count":0,"subscribers_count":2,"default_branch":"develop","last_synced_at":"2025-01-20T01:35:17.132Z","etag":null,"topics":["cli","datastore","encryption","golang","golang-cli","golang-package","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/thisdougb.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-02-05T14:50:21.000Z","updated_at":"2024-11-29T13:17:20.000Z","dependencies_parsed_at":"2024-03-19T12:31:01.611Z","dependency_job_id":"69ae04a1-a8c4-4fd8-ae11-587dfb0225f3","html_url":"https://github.com/thisdougb/go-fsvault","commit_stats":null,"previous_names":["thisdougb/go-fsvault"],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thisdougb%2Fgo-fsvault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thisdougb%2Fgo-fsvault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thisdougb%2Fgo-fsvault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thisdougb%2Fgo-fsvault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/thisdougb","download_url":"https://codeload.github.com/thisdougb/go-fsvault/tar.gz/refs/heads/develop","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243359406,"owners_count":20278189,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","datastore","encryption","golang","golang-cli","golang-package","security"],"created_at":"2024-11-09T20:43:59.403Z","updated_at":"2026-01-02T01:08:37.915Z","avatar_url":"https://github.com/thisdougb.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# fsvault\n\n[![release](https://github.com/thisdougb/go-fsvault/actions/workflows/release.yaml/badge.svg)](https://github.com/thisdougb/go-fsvault/actions/workflows/release.yaml)\n\n## Overview\n\nPackage and cli tool for storing data on the filesystem, with encryption.\n\n```\ngo install github.com/thisdougb/go-fsvault/fsvcli\n```\n\n### Features\n\n- A simple key/value store on the filesystem\n- Encryption of data at rest\n- Storing maps of generic types\n- Per key locks for synchronised access\n\n## Walkthrough\n\n### Command Line\n\nTwo environment variables control conffiguration:\n\n    FSVAULT_DATADIR       the datastore filesystem path, defaults to /tmp\n    FSVAULT_SECRET_KEYS   a list of encryption keys, see docs for more information\n\nUsage:\n\n    fsvcli \u003ccommand\u003e [arguments]\n\nThe commands are:\n\n    put       put a value into the datastore\n    get       get a value from the datastore\n    delete    delete a key in the datastore\n    list      list keys at a datastore path\n    refresh   refresh encryption for a key/value\n\nExamples:\n\n    $ fsvcli put -key \"/user/23/passphrase\" -data \"Pssst… The green cow has eaten the maple oatmeal\"\n\n    $ fsvcli get -key \"/user/23/passphrase\"       \n    Pssst… The green cow has eaten the maple oatmeal\n\n    $ fsvcli put -h\n    Usage of put:\n      -data string\n        \tdata to store\n      -key string\n        \tkey to the data\n\n### Go Library\n\nThe example package shows usage.\n\nWrite a value at vault key `/user/23/passphrase``:\n\n```\nfsvault.Put(\"/user/23/passphrase\", []byte(\"the wind blows from above\"))\n```\n\nRead a value at vault key `/user/23/passphrase`:\n\n```\ndata, _ := fsvault.Get(\"/user/23/passphrase\")\n```\n\nGet a map value (int64), including a lock, at map key, defering the lock release:\n\n```\nlock, value := fsvault.GetMapValueWithLock[int64](vaultKey, mapKey)\ndefer lock.Unlock()\n```\n\n## Encryption Key Rollover\n\nRolling encryption keys doesn't need to be difficult. \nHaving 'data encrypted at rest' is simple with fsvault, espeically for a live app.\n\nAn example using the cli interface, which I think is easier to see what's going on.\nAutomatic re-encryption happens the same way when importing this package into your app code.\n\nFirst export the keys and path vars:\n\n```\n$ export FSVAULT_SECRET_KEYS=\"key1-gsecdddddwwwwdtmylongsecret\"\n$ export FSVAULT_DATADIR=\"/data/fsvault/\"\n```\n\nNow we can store some encrypted data, and read it back:\n\n```\n$ fsvault put -key \"/user/23/passphrase\" -data \"Pssst… The green cow has eaten the maple oatmeal\"\n$ \n$ fsvault get -key \"/user/23/passphrase\"                                                        \nPssst… The green cow has eaten the maple oatmeal\n$\n```\n\nWhen we need to roll the encryption key, simply prepend it to the list of keys.\nNow, when that path is read fsvault re-stores the data with the principle encryption key.\n\nHere I've added the `-debug` flag, to show what's happening:\n\n```\n$ export FSVAULT_SECRET_KEYS='key2-ensu6fjyivh26fnr5gbaqw3f6go,key1-gsecdddddwwwwdtmylongsecret'\n$ fsvault get -key \"/user/23/passphrase\"\n2024/02/05 10:20:14 DEBUG +0.0s [id=fsvault] cli.getDataAtKey(): full path /data/fsvault/user/23/passphrase\n2024/02/05 10:20:14 DEBUG +0.0s [id=fsvault] fsvault.Get(): decrypt error with key 0 = cipher: message authentication failed\n2024/02/05 10:20:14 DEBUG +0.0s [id=fsvault] fsvault.Get(): decrypted data at key /user/23/passphrase\n2024/02/05 10:20:14 DEBUG +0.0s [id=fsvault] fsvault.Get(): rolling encryption for data at key /user/23/passphrase\n2024/02/05 10:20:14 DEBUG +0.0s [id=fsvault] fsvault.Put(): encrypted data at key /user/23/passphrase\nPssst… The green cow has eaten the maple oatmeal\n$\n```\n\nA simple shell for-loop can read all keys to roll the data encryption, forcing re-encryption.\nOnce all data is refreshed, we can remove the old encryption key:\n\n```\n$ export FSVAULT_SECRET_KEYS='key2-ensu6fjyivh26fnr5gbaqw3f6go'                                 \n$ fsvault get -key \"/user/23/passphrase\"\nPssst… The green cow has eaten the maple oatmeal\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthisdougb%2Fgo-fsvault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthisdougb%2Fgo-fsvault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthisdougb%2Fgo-fsvault/lists"}