Skip to content

Instantly share code, notes, and snippets.

Last active July 6, 2022 19:32
Show Gist options
  • Save komuw/4d44a25e1b6786100ffe0308106e80f2 to your computer and use it in GitHub Desktop.
Save komuw/4d44a25e1b6786100ffe0308106e80f2 to your computer and use it in GitHub Desktop.
encrypt and decrypt in Go
package main
import (
// from:
// license(GNU Affero General Public License v3.0):
// Also:
// 1.
// 2.
// The recommendation from Go authors seems to be to use `crypto/cipher.NewGCM` or `XChaCha20-Poly1305`
// see;
// examples:
// -
// -
// Latacora seems to recommend XSalsa20+Poly1305
// -
const (
saltLength = 8
// from the docs of aes.NewCipher, key should be 32bytes.
keyLength = 32
func main() {
secret := "1234"
payload := []byte("hello world")
encrypted, err := encrypt(payload, secret)
if err != nil {
fmt.Println("encrypted: ", encrypted, string(encrypted))
decrypted, err := decrypt(encrypted, secret)
if err != nil {
fmt.Println("decrypted: ", decrypted, string(decrypted))
func encode(payload []byte) string {
return base64.RawURLEncoding.EncodeToString(payload)
func decode(payload string) ([]byte, error) {
return base64.RawURLEncoding.DecodeString(payload)
func encrypt(payload []byte, secret string) ([]byte, error) {
salt := id.Random(16)[:saltLength]
key := encryptionKeyToBytes(secret, salt)
block, err := aes.NewCipher(key)
if err != nil {
return nil, err
// The IV needs to be unique, but not secure. Therefore it's common to
// include it at the beginning of the ciphertext.
ciphertext := make([]byte, saltLength+aes.BlockSize+len(payload))
copy(ciphertext[:saltLength], salt)
iv := ciphertext[saltLength : saltLength+aes.BlockSize]
if _, err := io.ReadFull(rand.Reader, iv); err != nil {
return nil, err
stream := cipher.NewCFBEncrypter(block, iv)
stream.XORKeyStream(ciphertext[saltLength+aes.BlockSize:], payload)
return ciphertext, nil
func decrypt(payload []byte, secret string) ([]byte, error) {
if len(payload) < saltLength {
return nil, errors.New("unable to compute salt")
salt := payload[:saltLength]
key := encryptionKeyToBytes(secret, string(salt))
block, err := aes.NewCipher(key)
if err != nil {
return nil, err
// The IV needs to be unique, but not secure. Therefore, it's common to
// include it at the beginning of the ciphertext.
if len(payload) < aes.BlockSize {
return nil, errors.New("payload too short")
iv := payload[saltLength : saltLength+aes.BlockSize]
payload = payload[saltLength+aes.BlockSize:]
payloadDst := make([]byte, len(payload))
stream := cipher.NewCFBDecrypter(block, iv)
// XORKeyStream can work in-place if the two arguments are the same.
stream.XORKeyStream(payloadDst, payload)
return payloadDst, nil
func encryptionKeyToBytes(secret, salt string) []byte {
return pbkdf2.Key([]byte(secret), []byte(salt), 10000, keyLength, sha256.New)
package main
import (
goimports -w .;gofumpt -extra -lang 1.18 -w .;gofmt -w -s .;go mod tidy;go test -race ./... -v
func TestEncrypt(t *testing.T) {
t.Run("success", func(t *testing.T) {
secret := id.Random(32)
payload := []byte("hello world")
encrypted, err := encrypt(payload, secret)
attest.Ok(t, err)
decrypted, err := decrypt(encrypted, secret)
attest.Ok(t, err)
attest.Equal(t, decrypted, payload)
attest.Equal(t, string(decrypted), string(payload))
t.Run("eoncode/decode", func(t *testing.T) {
secret := id.Random(32)
payload := []byte("hello world")
encrypted, err := encrypt(payload, secret)
attest.Ok(t, err)
encodedEncrypted := encode(encrypted)
_encrypted, err := decode(encodedEncrypted)
attest.Ok(t, err)
decrypted, err := decrypt(_encrypted, secret)
attest.Ok(t, err)
attest.Equal(t, decrypted, payload)
attest.Equal(t, string(decrypted), string(payload))
package main
import (
cryptoRand "crypto/rand"
mathRand "math/rand"
// -
// -
// why 12?
const noncelength = 12
func main() {
plaintext := []byte("hello world")
secret := []byte("the key should 32bytes & random.")
encrypted, err := encrypt(plaintext, secret)
if err != nil {
decrypted, err := decrypt(encrypted, secret)
if err != nil {
if string(decrypted) != string(plaintext) {
fmt.Println("decrypted: ", string(decrypted))
// encrypt will encrypt using the pre-generated key
func encrypt(plaintext, key []byte) ([]byte, error) {
// from the docs of aes.NewCipher, key should be 32bytes.
block, err := aes.NewCipher(key)
if err != nil {
return nil, err
// generate a random iv/nonce each time
//, Section 8.2
// Never use more than 2^32 random nonces with a given key because of the risk of a repeat.
// ie, you can only send a maximum of 2^32 messages for any given key.
// after that(ideally prior to that), you should generate a new key;
nonce := make([]byte, noncelength)
if _, err := cryptoRand.Read(nonce); err != nil {
// Is it safe to use mathRand here?
// According to agl(the one and only);
// "The nonce itself does not have to be random, it can be a counter.
// But it absolutely must be unique"
// see:
_, _ = mathRand.Read(nonce) // docs say that it always returns a nil error.
aesgcm, err := cipher.NewGCM(block)
if err != nil {
return nil, err
encrypted := aesgcm.Seal(nil, nonce, plaintext, nil)
encrypted = append(
// "you can send the nonce in the clear before each message; so long as it's unique." - agl
// see:
return encrypted, err
// decrypt using the pre-generated key
func decrypt(encrypted, key []byte) ([]byte, error) {
if len(encrypted) < 13 {
return nil, fmt.Errorf("incorrect passphrase")
block, err := aes.NewCipher(key)
if err != nil {
return nil, err
aesgcm, err := cipher.NewGCM(block)
if err != nil {
return nil, err
plaintext, err := aesgcm.Open(nil, encrypted[:noncelength], encrypted[noncelength:], nil)
return plaintext, err
package main
import (
cryptoRand "crypto/rand"
// as recommended by Latacora.
// from:
// XChaCha20-Poly1305, unlinke aes-gcm, has no message limit per key.
// It can safely encrypt an unlimited number of messages with the same key, without any limit to the size of a message.
// see:
func main() {
key should be randomly generated or derived from a function like Argon2.
import ""
key := argon2.Key([]byte("some password"), salt, 3, 32*1024, 4, chacha20poly1305.KeySize)
key := make([]byte, chacha20poly1305.KeySize)
if _, err := cryptoRand.Read(key); err != nil {
// xchacha20poly1305 takes a longer nonce, suitable to be generated randomly without risk of collisions.
// It should be preferred when nonce uniqueness cannot be trivially ensured
aead, err := chacha20poly1305.NewX(key)
if err != nil {
// Encryption.
var encryptedMsg []byte
msg := []byte("hello world")
fmt.Println("aead.NonceSize(); ", aead.NonceSize())
// Select a random nonce, and leave capacity for the ciphertext.
nonce := make([]byte, aead.NonceSize(), aead.NonceSize()+len(msg)+aead.Overhead())
if _, err := cryptoRand.Read(nonce); err != nil {
// Encrypt the message and append the ciphertext to the nonce.
encryptedMsg = aead.Seal(nonce, nonce, msg, nil)
fmt.Println("encryptedMsg: ", encryptedMsg)
// Decryption.
if len(encryptedMsg) < aead.NonceSize() {
panic("ciphertext too short")
// Split nonce and ciphertext.
nonce, ciphertext := encryptedMsg[:aead.NonceSize()], encryptedMsg[aead.NonceSize():]
// Decrypt the message and check it wasn't tampered with.
plaintext, err := aead.Open(nil, nonce, ciphertext, nil)
if err != nil {
fmt.Println("plaintext: ", string(plaintext))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment