Bailey: Hardware-bound security for Clojure applications.
This namespace provides the public API for initializing the secure environment, encrypting/decrypting data, and managing key rotation.
Bailey: Hardware-bound security for Clojure applications. This namespace provides the public API for initializing the secure environment, encrypting/decrypting data, and managing key rotation.
(decrypt ciphertext)Decrypts ciphertext (byte[]).
Automatically selects the correct key from the server keychain.
Decrypts `ciphertext` (byte[]). Automatically selects the correct key from the server keychain.
(decrypt-string ciphertext)Like decrypt but returns a string.
Assumes the decrypted bytes are UTF-8 text.
NOTE: Strings are immutable and cannot be zero'd. If possible, alter your workflow to use byte[] instead.
Returns decrypted string.
Like `decrypt` but returns a string. Assumes the decrypted bytes are UTF-8 text. NOTE: Strings are immutable and cannot be zero'd. If possible, alter your workflow to use byte[] instead. Returns decrypted string.
(encrypt data)Encrypts data (byte[]) using the server's current primary key.
Returns encrypted bytes.
Encrypts `data` (byte[]) using the server's current primary key. Returns encrypted bytes.
(encrypt-critical data)Encrypts data with 'Belt and Suspenders' protection.
Use this for data that MUST be recoverable even if the server keychain file is corrupted or deleted (e.g., highly critical configs).
WARNING: Adds significant size overhead (~500 bytes).
Encrypts data with 'Belt and Suspenders' protection. Use this for data that MUST be recoverable even if the server keychain file is corrupted or deleted (e.g., highly critical configs). WARNING: Adds significant size overhead (~500 bytes).
(encrypt-string s)Like encrypt but accepts a string as an argument.
Encodes the string to UTF-8 before encrypting.
NOTE: Strings are immutable and cannot be zero'd. If possible, alter your workflow to use byte[] instead.
Returns encrypted bytes.
Like `encrypt` but accepts a string as an argument. Encodes the string to UTF-8 before encrypting. NOTE: Strings are immutable and cannot be zero'd. If possible, alter your workflow to use byte[] instead. Returns encrypted bytes.
(generate-backup-keys! opts)Generates the offline 'Break Glass' identity.
secrets-dir (Keep this safe/offline!).resources-dir (Commit this to Git).This must be run before building your Uberjar.
Generates the offline 'Break Glass' identity. - Writes the FULL keychain (Private + Public) to `secrets-dir` (Keep this safe/offline!). - Writes the PUBLIC key to `resources-dir` (Commit this to Git). This must be run *before* building your Uberjar.
(init! opts)Initializes the security subsystem.
keychain-path.Arguments: keychain-path - path to save server keys read-server-password!! - (fn []) returning byte[] of the TPM password.
Initializes the security subsystem. - Loads the embedded backup public key from the classpath. - Loads (or creates) the server keychain from `keychain-path`. - Unlocks the keychain using the TPM-sealed password. Arguments: keychain-path - path to save server keys read-server-password!! - (fn []) returning byte[] of the TPM password.
(rotate-keys! read-server-password!!)Generates a fresh symmetric key and promotes it to primary. Existing keys are retained so old data remains readable.
Use this for routine security maintenance.
Generates a fresh symmetric key and promotes it to primary. Existing keys are retained so old data remains readable. Use this for routine security maintenance.
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |