3
Home
Virgil edited this page 2026-02-19 16:58:15 +00:00
Table of Contents
go-crypt
Cryptographic toolkit for the Lethean ecosystem.
| Module | forge.lthn.ai/core/go-crypt |
| Go | 1.25.5 |
| Licence | EUPL-1.2 |
| Source | forge.lthn.ai/core/go-crypt |
Overview
go-crypt provides a layered cryptographic library covering symmetric encryption, password hashing, key derivation, OpenPGP operations, and an agent trust engine. It is designed for use across the Lethean platform — from encrypting user data and verifying file integrity to authenticating agents and enforcing capability-based access policies.
Package Structure
| Package | Import Path | Purpose |
|---|---|---|
crypt |
forge.lthn.ai/core/go-crypt/crypt |
Symmetric encryption (ChaCha20-Poly1305, AES-256-GCM), password hashing (Argon2id, bcrypt), key derivation (Argon2id, scrypt, HKDF), HMAC, checksums |
crypt/chachapoly |
forge.lthn.ai/core/go-crypt/crypt/chachapoly |
Standalone ChaCha20-Poly1305 encrypt/decrypt |
crypt/pgp |
forge.lthn.ai/core/go-crypt/crypt/pgp |
OpenPGP key generation, encryption, decryption, signing, verification (ProtonMail go-crypto) |
crypt/openpgp |
forge.lthn.ai/core/go-crypt/crypt/openpgp |
OpenPGP service implementing core.Crypt interface with IPC support |
crypt/rsa |
forge.lthn.ai/core/go-crypt/crypt/rsa |
RSA-OAEP encryption/decryption with PKCS1/PKIX key serialisation |
crypt/lthn |
forge.lthn.ai/core/go-crypt/crypt/lthn |
LTHN quasi-salted hash algorithm (RFC-0004) for deterministic content identifiers |
auth |
forge.lthn.ai/core/go-crypt/auth |
OpenPGP challenge-response authentication with online and air-gapped (file-based courier) transport |
trust |
forge.lthn.ai/core/go-crypt/trust |
Agent trust tiers with policy-based capability access control |
Dependencies
forge.lthn.ai/core/go— Core framework (error handling, IO abstractions, config)github.com/ProtonMail/go-crypto— OpenPGP implementationgolang.org/x/crypto— Argon2, scrypt, HKDF, ChaCha20-Poly1305, bcrypt
Quick Start
package main
import (
"fmt"
"log"
"forge.lthn.ai/core/go-crypt/crypt"
)
func main() {
plaintext := []byte("sensitive data")
passphrase := []byte("strong-passphrase")
// Encrypt with ChaCha20-Poly1305 (Argon2id-derived key)
encrypted, err := crypt.Encrypt(plaintext, passphrase)
if err != nil {
log.Fatal(err)
}
// Decrypt
decrypted, err := crypt.Decrypt(encrypted, passphrase)
if err != nil {
log.Fatal(err)
}
fmt.Println(string(decrypted)) // "sensitive data"
}
API Overview
| Function | Package | Description |
|---|---|---|
Encrypt / Decrypt |
crypt |
ChaCha20-Poly1305 with Argon2id key derivation |
EncryptAES / DecryptAES |
crypt |
AES-256-GCM with Argon2id key derivation |
ChaCha20Encrypt / ChaCha20Decrypt |
crypt |
Low-level XChaCha20-Poly1305 |
AESGCMEncrypt / AESGCMDecrypt |
crypt |
Low-level AES-256-GCM |
HashPassword / VerifyPassword |
crypt |
Argon2id password hashing |
HashBcrypt / VerifyBcrypt |
crypt |
bcrypt password hashing |
DeriveKey |
crypt |
Argon2id KDF |
DeriveKeyScrypt |
crypt |
scrypt KDF |
HKDF |
crypt |
HKDF-SHA256 key derivation |
HMACSHA256 / HMACSHA512 |
crypt |
HMAC computation |
VerifyHMAC |
crypt |
Constant-time HMAC verification |
SHA256File / SHA512File |
crypt |
File checksums |
SHA256Sum / SHA512Sum |
crypt |
Data checksums |
CreateKeyPair |
pgp |
OpenPGP key pair generation |
Encrypt / Decrypt |
pgp |
PGP encryption/decryption |
Sign / Verify |
pgp |
PGP signing/verification |
Hash / Verify |
lthn |
LTHN quasi-salted hashing (RFC-0004) |
New |
auth |
Create authenticator with challenge-response support |
NewRegistry |
trust |
Create agent trust registry |
NewPolicyEngine |
trust |
Create policy engine for capability evaluation |
Further Reading
- Encryption-and-Hashing — Symmetric encryption, password hashing, KDF, HMAC, and checksums
- Authentication — OpenPGP challenge-response authentication (online and air-gapped)
- Trust-Engine — Agent trust tiers and policy-based access control