pub fn looks_encrypted(data: &[u8]) -> boolExpand description
Detect whether raw file bytes look like an AES-256-GCM encrypted secrets blob (binary with salt+nonce header) or a plaintext secrets file (UTF-8 JSON / YAML / TOML).
Returns true if the content appears to be encrypted.
Heuristic:
- Files shorter than the minimum encrypted length cannot be valid
ciphertext — return
false. - The entire content is checked for UTF-8 validity (not just the
first few bytes). Only if the whole file is valid UTF-8 and begins
with a recognisable plaintext marker (
[,{,-,#) is it treated as plaintext — returnfalse. - Binary content (not valid UTF-8) or UTF-8 without a plaintext
marker is assumed to be encrypted — return
true.
Note: a pathological plaintext file that is valid UTF-8 but lacks a
leading plaintext marker (e.g. a TOML file whose first non-whitespace
character is a letter) will be misclassified as encrypted and produce
a SecretsDecryptFailed error. Use force_plaintext: true in
load_secrets_auto to bypass the heuristic in that case.