package domain import ( "crypto/aes" "crypto/cipher" "crypto/rand" "crypto/sha256" "encoding/base64" "fmt" "io" ) // Seal encrypts plaintext with AES-GCM derived from secret. func Seal(secret, plaintext string) (string, error) { if plaintext == "" { return "", nil } key := sha256.Sum256([]byte(secret)) block, err := aes.NewCipher(key[:]) if err != nil { return "", err } gcm, err := cipher.NewGCM(block) if err != nil { return "", err } nonce := make([]byte, gcm.NonceSize()) if _, err := io.ReadFull(rand.Reader, nonce); err != nil { return "", err } out := gcm.Seal(nonce, nonce, []byte(plaintext), nil) return base64.RawURLEncoding.EncodeToString(out), nil } // Open decrypts Seal output. func Open(secret, sealed string) (string, error) { if sealed == "" { return "", nil } raw, err := base64.RawURLEncoding.DecodeString(sealed) if err != nil { return "", err } key := sha256.Sum256([]byte(secret)) block, err := aes.NewCipher(key[:]) if err != nil { return "", err } gcm, err := cipher.NewGCM(block) if err != nil { return "", err } ns := gcm.NonceSize() if len(raw) < ns { return "", fmt.Errorf("ciphertext too short") } nonce, ct := raw[:ns], raw[ns:] pt, err := gcm.Open(nil, nonce, ct, nil) if err != nil { return "", err } return string(pt), nil }