package crypto import ( "crypto/aes" "crypto/cipher" "crypto/rand" "encoding/base64" "errors" "io" ) func Encrypt(key, plaintext []byte) (string, error) { gcm, err := newGCM(key) if err != nil { return "", err } nonce := make([]byte, gcm.NonceSize()) if _, err := io.ReadFull(rand.Reader, nonce); err != nil { return "", err } ct := gcm.Seal(nonce, nonce, plaintext, nil) return base64.StdEncoding.EncodeToString(ct), nil } func Decrypt(key []byte, enc string) ([]byte, error) { gcm, err := newGCM(key) if err != nil { return nil, err } raw, err := base64.StdEncoding.DecodeString(enc) if err != nil { return nil, err } ns := gcm.NonceSize() if len(raw) < ns { return nil, errors.New("ciphertext too short") } return gcm.Open(nil, raw[:ns], raw[ns:], nil) } func newGCM(key []byte) (cipher.AEAD, error) { if len(key) != 32 { return nil, errors.New("key must be 32 bytes (AES-256)") } block, err := aes.NewCipher(key) if err != nil { return nil, err } return cipher.NewGCM(block) }