(decrypt encrypted-bytes)Decrypt ciphertext made using encrypt.
Decrypt ciphertext made using `encrypt`.
(decrypt-asymmetric encrypted-bytes)Decrypts data that was encrypted specifically for this server's public key.
Decrypts data that was encrypted specifically for this server's public key.
(decrypt-backup {:keys [encrypted-bytes backup-full-keychain]})Decodes an encrypted ciphertext using the OFFLINE full backup key.
Decodes an encrypted ciphertext using the OFFLINE full backup key.
(encrypt secret-data & {:keys [include-backup?]})Encrypt data using the loaded server keychain.
Ordinary ciphertext is recoverable via the backup key only while an intact encrypted server-keychain file remains available. The caller must back up that file.
If include-backup? is truthy, also perform asymmetric encryption
using the backup key. This adds overhead, but guarantees the data
can be decrypted even if BOTH the password AND the server keychain
are lost.
Encrypt data using the loaded server keychain. Ordinary ciphertext is recoverable via the backup key only while an intact encrypted server-keychain file remains available. The caller must back up that file. If `include-backup?` is truthy, also perform asymmetric encryption using the backup key. This adds overhead, but guarantees the data can be decrypted even if BOTH the password AND the server keychain are lost.
(encrypt-for-recipient secret-data recipient-public-key-bytes)Encrypts secret-data so that it can only be decrypted by the owner of recipient-public-key-bytes.
Encrypts secret-data so that it can only be decrypted by the owner of recipient-public-key-bytes.
(export-public-key)Freezes and returns this server's public key as a byte array.
Freezes and returns this server's public key as a byte array.
(init! {:keys [keychain-path read-server-password!!]})Initialize server encryption keys exactly once during JVM startup. Treat any failure as fatal. Exactly one JVM process may own the keychain path.
Initialize server encryption keys exactly once during JVM startup. Treat any failure as fatal. Exactly one JVM process may own the keychain path.
(load-backup-public-key)Loads the baked-in public key from the Uberjar classpath.
Loads the baked-in public key from the Uberjar classpath.
(recover-keychain-file path-to-encrypted-keychain
path-to-offline-backup-keychain
backup-password)Decodes an encrypted keychain file using the OFFLINE full backup key.
backup-password must be a String.
Returns the usable server keychain.
Decodes an encrypted keychain file using the OFFLINE full backup key. `backup-password` must be a String. Returns the usable server keychain.
(rotate-server-keys! read-server-password!!)Generates a fresh symmetric key, promotes it to primary, and demotes existing keys. Updates the encrypted file on disk and the running in-memory atom.
Requires the current TPM password to decrypt and re-encrypt the keychain file.
Generates a fresh symmetric key, promotes it to primary, and demotes existing keys. Updates the encrypted file on disk and the running in-memory atom. Requires the current TPM password to decrypt and re-encrypt the keychain file.
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |