Bailey: Hardware-bound security for Clojure applications.
This namespace provides the public API for initializing the secure environment, encrypting/decrypting data, and managing key rotation.
Bailey: Hardware-bound security for Clojure applications. This namespace provides the public API for initializing the secure environment, encrypting/decrypting data, and managing key rotation.
(decrypt ciphertext)Decrypts ciphertext (byte[]).
Automatically selects the correct key from the server keychain.
Decrypts `ciphertext` (byte[]). Automatically selects the correct key from the server keychain.
(decrypt-asymmetric ciphertext)Decrypts ciphertext (byte[]) that was encrypted for this server's
public key.
Decrypts `ciphertext` (byte[]) that was encrypted for this server's public key.
(decrypt-string ciphertext)Like decrypt but returns a string.
Assumes the decrypted bytes are UTF-8 text.
NOTE: Strings are immutable and cannot be zero'd. If possible, alter your workflow to use byte[] instead.
Returns decrypted string.
Like `decrypt` but returns a string. Assumes the decrypted bytes are UTF-8 text. NOTE: Strings are immutable and cannot be zero'd. If possible, alter your workflow to use byte[] instead. Returns decrypted string.
(encrypt data)Encrypts data (byte[]) using the server's current primary key.
Recovery requires an intact copy of the encrypted server keychain.
Returns encrypted bytes.
Encrypts `data` (byte[]) using the server's current primary key. Recovery requires an intact copy of the encrypted server keychain. Returns encrypted bytes.
(encrypt-critical data)Encrypts data with 'Belt and Suspenders' protection.
Use this for data that MUST be recoverable even if the server keychain file is corrupted or deleted (e.g., highly critical configs).
WARNING: Adds significant size overhead (~500 bytes).
Encrypts data with 'Belt and Suspenders' protection. Use this for data that MUST be recoverable even if the server keychain file is corrupted or deleted (e.g., highly critical configs). WARNING: Adds significant size overhead (~500 bytes).
(encrypt-for-recipient data recipient-public-key-bytes)Encrypts data (byte[]) for another server using its public key.
Returns encrypted bytes.
Encrypts `data` (byte[]) for another server using its public key. Returns encrypted bytes.
(encrypt-string s)Like encrypt but accepts a string as an argument.
Encodes the string to UTF-8 before encrypting.
NOTE: Strings are immutable and cannot be zero'd. If possible, alter your workflow to use byte[] instead.
Returns encrypted bytes.
Like `encrypt` but accepts a string as an argument. Encodes the string to UTF-8 before encrypting. NOTE: Strings are immutable and cannot be zero'd. If possible, alter your workflow to use byte[] instead. Returns encrypted bytes.
(export-public-key)Returns this server's public key as a byte array. Share this with other servers to allow them to encrypt payloads intended specifically for this server.
Returns this server's public key as a byte array. Share this with other servers to allow them to encrypt payloads intended specifically for this server.
(generate-backup-keys! opts)Generates the offline 'Break Glass' identity.
secrets-dir (Keep this safe/offline!).resources-dir (Commit this to Git).This must be run before building your Uberjar, from a dedicated process.
If backup material already exists and :force? is false, this intentionally
terminates that process with a nonzero status.
Generates the offline 'Break Glass' identity. - Writes the FULL keychain (Private + Public) to `secrets-dir` (Keep this safe/offline!). - Writes the PUBLIC key to `resources-dir` (Commit this to Git). This must be run *before* building your Uberjar, from a dedicated process. If backup material already exists and `:force?` is false, this intentionally terminates that process with a nonzero status.
(init! opts)Initializes the security subsystem.
keychain-path.Call exactly once per JVM lifecycle and treat any failure as fatal to startup. Exactly one JVM process may own a given keychain path.
Arguments: keychain-path - path to save server keys read-server-password!! - (fn []) returning byte[] of the TPM password.
Initializes the security subsystem. - Loads the embedded backup public key from the classpath. - Loads (or creates) the server keychain from `keychain-path`. - Unlocks the keychain using the TPM-sealed password. Call exactly once per JVM lifecycle and treat any failure as fatal to startup. Exactly one JVM process may own a given keychain path. Arguments: keychain-path - path to save server keys read-server-password!! - (fn []) returning byte[] of the TPM password.
(rotate-keys! read-server-password!!)Generates a fresh symmetric key and promotes it to primary. Existing keys are retained so old data remains readable.
Use this for routine security maintenance.
Generates a fresh symmetric key and promotes it to primary. Existing keys are retained so old data remains readable. Use this for routine security maintenance.
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |