pub struct SecretKey { /* private fields */ }Expand description
A zeroizing age secret key.
Wraps a secret key string inside Zeroizing, guaranteeing that the
underlying memory is cleared when the SecretKey is dropped. The key must
start with the standard age secret key prefix "AGE-SECRET-KEY-1".
The Debug and [Display] implementations intentionally redact the
actual value to prevent accidental leakage in logs or error messages.
§Invariants
- The inner string is never empty.
- The inner string always starts with
"AGE-SECRET-KEY-1". - Memory is zeroized on drop via
Zeroizing.
§Examples
use age_setup::SecretKey;
let sk = SecretKey::new("AGE-SECRET-KEY-1ABCDEF".into())?;
// The debug representation hides the actual value.
assert_eq!(format!("{:?}", sk), "SecretKey { value: \"[REDACTED]\" }");§See Also
Implementations§
Source§impl SecretKey
impl SecretKey
Sourcepub fn new(raw: String) -> Result<Self>
pub fn new(raw: String) -> Result<Self>
Creates a new SecretKey after validating the age secret key prefix.
The provided raw string must start with "AGE-SECRET-KEY-1" and must
not be empty.
§Errors
Returns Error::Validation with
ValidationError::InvalidSecretKeyFormat
if the key is empty or does not start with the required prefix.
§Examples
use age_setup::SecretKey;
assert!(SecretKey::new("AGE-SECRET-KEY-1VALID".into()).is_ok());
assert!(SecretKey::new("bad".into()).is_err());
assert!(SecretKey::new("".into()).is_err());Sourcepub fn expose_secret(&self) -> &str
pub fn expose_secret(&self) -> &str
Returns a reference to the underlying secret key string.
Use this only when the secret must be passed to another API. Prefer
to keep the SecretKey in scope and avoid unnecessary copies.
§Examples
use age_setup::SecretKey;
let sk = SecretKey::new("AGE-SECRET-KEY-1SECRET".into())?;
assert_eq!(sk.expose_secret(), "AGE-SECRET-KEY-1SECRET");