Secret Value Manager in Go

Core Components The encryption system consists of three main components: Passphrase management (digesting and verification) Secret encryption Secret decryption Passphrase Management The master passphrase is never stored directly. Instead, we store a digest created using PBKDF2: // Constants for cryptographic operations const saltLength int = 32 // Length of salt in bytes for key derivation const secretKeyLength int = 32 // Length of derived key (256 bits for AES-256) const separator string = "-" // Separator for components in stored values func DigestPassphrase ( passphrase string ) string { // Derive a key and get a salt (nil means generate new salt) key , salt := deriveKey ( passphrase , nil ) // Store as: <derived_key>-<salt> // Both components are hex-encoded for safe storage digestedPassphrase := strings . Join ( [] string { hex . EncodeToString ( key ), hex . EncodeToString ( salt )}, separator , ) return digestedPassphrase } The key derivation function uses PBKDF2 with these spe