First commit.

.gitignore

@@ -0,0 +1,2 @@
+*.log
+.vscode/

CHANGELOG.md

@@ -0,0 +1,8 @@
+# git.sa-roci.de/oss/go_encryption Release notes
+
+All notable changes to this project will be documented in this file.
+This project adheres to [Semantic Versioning](http://semver.org/).
+
+## v. 0.0.1
+
+- Initial Release.

IEncryptionProvider.go

@@ -0,0 +1,27 @@
+package go_encryption
+
+type IEncryptionProvider interface {
+	// SetEncryptionKey allows to modify the encryption key.
+	SetEncryptionKey(key []byte)
+
+	// SetContext allows to modify the encryption context.
+	SetContext(context []byte) (err error)
+
+	// Encrypt tries to encrypt the given binary with the appropriate cipher.
+	Encrypt(binary []byte) (encrypted []byte, err error)
+
+	// EncryptData returns the given data as JSON in encrypted form.
+	EncryptData(data interface{}) (encrypted []byte, err error)
+
+	// EncryptToFile saves the given data to the given filepath as JSON in encrypted form.
+	EncryptToFile(data interface{}, filepath string) (err error)
+
+	// Decrypt tries to decrypt the given binary with the appropriate cipher.
+	Decrypt(binary []byte) (decrypted []byte, err error)
+
+	// DecryptData tries to decrypt the given binary and to unmarshal the resulting JSON to the target interface.
+	DecryptData(binary []byte, target interface{}) (err error)
+
+	// DecryptData tries to decrypt the content of the file specified and to unmarshal the resulting JSON to the target interface.
+	DecryptFile(path string, target interface{}) (err error)
+}

LICENSE

@@ -0,0 +1,9 @@
+MIT License
+
+Copyright (c) 2024 Sa Rocí Solutions
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,31 @@
+# git.sa-roci.de/oss/go_encryption
+
+An extensible encryption package with an implementation for AES-128Bit en-/decryption functionality.
+
+``` golang
+type IEncryptionProvider interface {
+    // SetEncryptionKey allows to modify the encryption key.
+    SetEncryptionKey(key []byte)
+
+    // SetContext allows to modify the encryption context.
+    SetContext(context []byte) (err error)
+
+    // Encrypt tries to encrypt the given binary with the appropriate cipher.
+    Encrypt(binary []byte) (encrypted []byte, err error)
+
+    // EncryptData returns the given data as JSON in encrypted form.
+    EncryptData(data interface{}) (encrypted []byte, err error)
+
+    // EncryptToFile saves the given data to the given filepath as JSON in encrypted form.
+    EncryptToFile(data interface{}, filepath string) (err error)
+
+    // Decrypt tries to decrypt the given binary with the appropriate cipher.
+    Decrypt(binary []byte) (decrypted []byte, err error)
+
+    // DecryptData tries to decrypt the given binary and to unmarshal the resulting JSON to the target interface.
+    DecryptData(binary []byte, target interface{}) (err error)
+
+    // DecryptData tries to decrypt the content of the file specified and to unmarshal the resulting JSON to the target interface.
+    DecryptFile(path string, target interface{}) (err error)
+}
+```

global.go

@@ -0,0 +1,60 @@
+package go_encryption
+
+import "sync"
+
+var (
+	mutex = sync.RWMutex{}
+	std   = NewAES128EncryptionProvider()
+)
+
+func SetProvider(provider IEncryptionProvider) {
+	if provider == nil {
+		panic("undefined provider")
+	}
+	mutex.Lock()
+	defer mutex.Unlock()
+	std = provider
+}
+
+// SetEncryptionKey allows to modify the system-wide encryption key.
+func SetEncryptionKey(key []byte) {
+	mutex.Lock()
+	defer mutex.Unlock()
+	std.SetEncryptionKey(key)
+}
+
+// SetContext allows to modify the system-wide encryption context.
+// N.B.: context must be 12 to 16 bytes in length.
+func SetContext(context []byte) (err error) {
+	mutex.Lock()
+	defer mutex.Unlock()
+	return std.SetContext(context)
+}
+
+// EncryptData returns the given data as JSON in encrypted form.
+func EncryptData(data interface{}) (encrypted []byte, err error) {
+	mutex.RLock()
+	defer mutex.RUnlock()
+	return std.EncryptData(data)
+}
+
+// EncryptToFile saves the given data to the given filepath as JSON in encrypted form.
+func EncryptToFile(data interface{}, filepath string) (err error) {
+	mutex.RLock()
+	defer mutex.RUnlock()
+	return std.EncryptToFile(data, filepath)
+}
+
+// DecryptData tries to decrypt the given binary and to unmarshal the resulting JSON to the target interface.
+func DecryptData(binary []byte, target interface{}) (err error) {
+	mutex.RLock()
+	defer mutex.RUnlock()
+	return std.DecryptData(binary, target)
+}
+
+// DecryptData tries to decrypt the content of the file specified and to unmarshal the resulting JSON to the target interface.
+func DecryptFile(path string, target interface{}) (err error) {
+	mutex.RLock()
+	defer mutex.RUnlock()
+	return std.DecryptFile(path, target)
+}

global_test.go

@@ -0,0 +1,156 @@
+package go_encryption
+
+import (
+	"bytes"
+	"encoding/hex"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"testing"
+)
+
+func Test_GlobalSetProvider(t *testing.T) {
+	SetProvider(NewAES128EncryptionProvider())
+
+	wg := sync.WaitGroup{}
+	wg.Add(1)
+	var err any
+
+	go func() {
+		defer func() {
+			err = recover()
+			wg.Done()
+		}()
+		SetProvider(nil)
+	}()
+
+	wg.Wait()
+
+	if err == nil {
+		t.FailNow()
+	}
+}
+
+func Test_GlobalSetEncryptionKey(t *testing.T) {
+	binaryKey := append([]byte{}, std.(*aes128encryption).encryptionKey...)
+	SetEncryptionKey(binaryKey)
+	if !strings.EqualFold(defaultEncryptionKey, hex.EncodeToString(std.(*aes128encryption).encryptionKey)) {
+		t.Error("Test_GlobalSetEncryptionKey: test case 1: encryption key should not have changed")
+	}
+
+	binaryKey[4] = 42
+	binaryKey[5] = 42
+	binaryKey[6] = 42
+	SetEncryptionKey(binaryKey)
+	if strings.EqualFold(defaultEncryptionKey, hex.EncodeToString(std.(*aes128encryption).encryptionKey)) {
+		t.Error("Test_GlobalSetEncryptionKey: test case 2: encryption key was not changed")
+	}
+
+	binaryKey = binaryKey[:3]
+	SetEncryptionKey(binaryKey)
+	if strings.EqualFold(defaultEncryptionKey, hex.EncodeToString(std.(*aes128encryption).encryptionKey)) {
+		t.Error("Test_GlobalSetEncryptionKey: test case 3: encryption key was not changed")
+	}
+
+	if binaryKey, err := hex.DecodeString(defaultEncryptionKey); err == nil {
+		SetEncryptionKey(binaryKey)
+		if !strings.EqualFold(defaultEncryptionKey, hex.EncodeToString(std.(*aes128encryption).encryptionKey)) {
+			t.Error("Test_GlobalSetEncryptionKey: test case 4.2: Failed to reset encryption key")
+		}
+	} else {
+		t.Error("Test_GlobalSetEncryptionKey: test case 4.1: Failed to reset encryption key")
+	}
+}
+
+func Fuzz_GlobalSetContext(f *testing.F) {
+	testCases := [][]byte{
+		nil,
+		{},
+		{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12},
+		{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16},
+		{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17},
+	}
+	for i := 0; i < 5; i++ {
+		testCases = append(testCases, randomByteArray())
+	}
+	for _, tc := range testCases {
+		f.Add(tc)
+	}
+	f.Fuzz(func(t *testing.T, a []byte) {
+		result := SetContext(a)
+		if 12 > len(a) || len(a) > 16 {
+			if result == nil {
+				t.Errorf("got no error for %v", a)
+			}
+		} else if result != nil {
+			t.Errorf("got an error for %v", a)
+		}
+	})
+	if SetContext(defaultContext) != nil {
+		f.Error("unable to reset context")
+	}
+}
+
+func Test_GlobalEncryptData(t *testing.T) {
+	if encrypted, err := EncryptData(defaultTestStruct); err != nil {
+		t.Error("unexpected error in default data encryption")
+	} else if !bytes.Equal(encrypted, []byte(defaultTestStructEncrypted)) {
+		t.Error("unexpected data for encrypted content")
+	}
+}
+
+func Test_GlobalDecryptData(t *testing.T) {
+	target := &testStruct{}
+	if err := DecryptData([]byte(defaultTestStructEncrypted), target); err != nil {
+		t.Error("unexpected error in default data decryption")
+	} else if target.BoolVal != defaultTestStruct.BoolVal ||
+		target.FloatVal != defaultTestStruct.FloatVal ||
+		target.IntVal != defaultTestStruct.IntVal ||
+		target.StringVal != defaultTestStruct.StringVal {
+		t.Error("retrieved struct does not match the expectations")
+	}
+}
+
+func getTestFilePathGlobal(encrypt bool) string {
+	fileName := "global_encryption_test_encrypted.data"
+	if !encrypt {
+		fileName = "global_encryption_test_decryptable.data"
+	}
+	return filepath.Join(os.Getenv("temp"), fileName)
+}
+
+func Test_GlobalEncryptToFile(t *testing.T) {
+	targetPath := getTestFilePathGlobal(true)
+	if err := EncryptToFile(defaultTestStruct, targetPath); err != nil {
+		t.Error("unexpected error in default encryption")
+	} else if encrypted, errRead := os.ReadFile(targetPath); errRead == nil {
+		os.Remove(targetPath)
+		if !bytes.Equal(encrypted, []byte(defaultTestStructEncrypted)) {
+			t.Error("unexpected data for encrypted content")
+		}
+	} else {
+		t.Errorf("expected file could not be read: %s", errRead)
+		if !os.IsNotExist(errRead) {
+			os.Remove(targetPath)
+		}
+	}
+}
+
+func Test_GlobalDecryptFile(t *testing.T) {
+	sourcePath := getTestFilePathGlobal(false)
+	if os.WriteFile(sourcePath, []byte(defaultTestStructEncrypted), os.ModePerm) == nil {
+		target := &testStruct{}
+		if err := DecryptFile(sourcePath, target); err != nil {
+			t.Error("unexpected error in default decryption")
+		} else if target.BoolVal != defaultTestStruct.BoolVal ||
+			target.FloatVal != defaultTestStruct.FloatVal ||
+			target.IntVal != defaultTestStruct.IntVal ||
+			target.StringVal != defaultTestStruct.StringVal {
+			t.Error("retrieved struct does not match the expectations")
+		}
+		os.Remove(sourcePath)
+	} else {
+		t.Error("could not prepare test file for decryption")
+	}
+}

go.mod

@@ -0,0 +1,3 @@
+module git.sa-roci.de/oss/go_encryption
+
+go 1.18

go.work

@@ -0,0 +1,5 @@
+go 1.18
+
+use (
+	.
+)

go_encryption.code-workspace

@@ -0,0 +1,9 @@
+{
+	"folders": [
+		{
+			"name": "git.sa-roci.de/oss/go_encryption",
+			"path": "."
+		}
+	],
+	"settings": {}
+}

implementation.go

@@ -0,0 +1,151 @@
+package go_encryption
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/sha256"
+	"crypto/sha512"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"os"
+)
+
+func NewAES128EncryptionProvider() IEncryptionProvider {
+	key, _ := hex.DecodeString(defaultEncryptionKey)
+	return &aes128encryption{
+		encryptionKey: key,
+		_context:      defaultContext,
+	}
+}
+
+type aes128encryption struct {
+	encryptionKey []byte
+	_context      []byte
+}
+
+// SetEncryptionKey allows to modify the encryption key.
+func (e *aes128encryption) SetEncryptionKey(key []byte) {
+	// Make sure we have a valid key length
+	if keyLen := len(key); keyLen != 16 &&
+		keyLen != 24 &&
+		keyLen != 32 {
+		if keyLen == 0 {
+			key, _ = hex.DecodeString(defaultEncryptionKey)
+		} else if keyLen < 32 {
+			keyHash := sha256.Sum256(key)
+			key = keyHash[:]
+		} else {
+			keyHash := sha512.Sum512_256(key)
+			key = keyHash[:]
+		}
+	}
+	e.encryptionKey = key
+}
+
+// SetContext allows to modify the encryption context.
+// N.B.: The context must be between 12 and 16 bytes long.
+func (e *aes128encryption) SetContext(context []byte) (err error) {
+	length := len(context)
+	if 12 > length || length > 16 {
+		err = fmt.Errorf("encryption: unsupported context length")
+	} else {
+		e._context = e._context[:0]
+		e._context = append(e._context, context...)
+	}
+	return
+}
+
+// EncryptData returns the given data as JSON in encrypted form.
+func (e *aes128encryption) EncryptData(data interface{}) (encrypted []byte, err error) {
+	var binary []byte
+	if binary, err = json.Marshal(data); err == nil {
+		encrypted, err = e.Encrypt(binary)
+	}
+	return
+}
+
+// EncryptToFile saves the given data to the given filepath as JSON in encrypted form.
+func (e *aes128encryption) EncryptToFile(data interface{}, filepath string) (err error) {
+	var encrypted []byte
+	if encrypted, err = e.EncryptData(data); err == nil {
+		err = os.WriteFile(filepath, encrypted, os.ModePerm)
+	}
+	return
+}
+
+// DecryptData tries to decrypt the given binary and to unmarshal the resulting JSON to the target interface.
+func (e *aes128encryption) DecryptData(binary []byte, target interface{}) (err error) {
+	var decrypted []byte
+	if decrypted, err = e.Decrypt(binary); err == nil {
+		err = json.Unmarshal(decrypted, target)
+		for i := 0; i < len(decrypted); i++ {
+			decrypted[i] = 0
+		}
+	}
+	return
+}
+
+// DecryptData tries to decrypt the content of the file specified and to unmarshal the resulting JSON to the target interface.
+func (e *aes128encryption) DecryptFile(path string, target interface{}) (err error) {
+	var binary []byte
+	if binary, err = os.ReadFile(path); err == nil {
+		err = e.DecryptData(binary, target)
+	}
+	return
+}
+
+// getCrypter returns an AES cipher interface based on the current 16-, 24- or 32-byte key.
+func (e *aes128encryption) getCrypter() (crypter cipher.AEAD, err error) {
+	var key []byte
+	key = append(key, e.encryptionKey...)
+	var block cipher.Block
+	if block, err = aes.NewCipher(key); err == nil {
+		crypter, err = cipher.NewGCMWithNonceSize(block, len(e._context))
+	}
+	for i := 0; i < len(key); i++ {
+		key[i] = 0
+	}
+	return
+}
+
+// getNonce returns a copy of the conext data
+func (e *aes128encryption) getNonce() (nonce []byte) {
+	nonce = append(nonce, e._context...)
+	return
+}
+
+// Encrypt tries to encrypt the given binary with the appropriate AES cipher.
+// N.B.: The data in the given binary will be nulled upon successful encryption.
+func (e *aes128encryption) Encrypt(binary []byte) (encrypted []byte, err error) {
+	var crypter cipher.AEAD
+	if crypter, err = e.getCrypter(); err == nil {
+		nonce := e.getNonce()
+		encrypted = crypter.Seal(nonce, nonce, binary, nil)
+		for i := 0; i < len(binary); i++ {
+			binary[i] = 0
+		}
+	}
+	return
+}
+
+// Decrypt tries to decrypt the given binary with the appropriate AES cipher.
+func (e *aes128encryption) Decrypt(binary []byte) (decrypted []byte, err error) {
+	var crypter cipher.AEAD
+	if crypter, err = e.getCrypter(); err == nil {
+		nonceSize := crypter.NonceSize()
+		if len(binary) > nonceSize {
+			context, encrypted := binary[:nonceSize], binary[nonceSize:]
+			nonce := e.getNonce()
+			if bytes.Equal(nonce, context) {
+				decrypted, err = crypter.Open(nil, nonce, encrypted, nil)
+			} else {
+				err = fmt.Errorf("encryption: bad context")
+			}
+		} else {
+			err = fmt.Errorf("encryption: not enough data")
+		}
+	}
+	return
+}

implementation_test.go

@@ -0,0 +1,236 @@
+package go_encryption
+
+import (
+	"bytes"
+	"encoding/hex"
+	"math/rand"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+type testStruct struct {
+	BoolVal   bool    `json:"boolVal"`
+	IntVal    int     `json:"intVal"`
+	FloatVal  float64 `json:"floatVal"`
+	StringVal string  `json:"stringVal"`
+}
+
+const (
+	defaultTestStructJSON      = "{\"boolVal\":true,\"intVal\":1,\"floatVal\":0.42,\"stringVal\":\"testing\"}"
+	defaultTestStructEncrypted = "SaRociSolutions\x80e#.\x8e\xc5M:\x90\xbe\x98\xd2\xdasA䊭\\cp%\xc4w\xea\x8bSِ\x80\xbe\xdc|o\x13\xb1JݛC\x0fG\xca\xdbc\x85I6\xbdd\x03O[a@%\x91'K\xd0r\x9e\xf1[\x8cx\xdfG\x8cc^|\x82\x95Jf[\xdaC\xd9I"
+	contextTestStructEncrypted = "__-=SaRoci=-__\xe45\xefVFJ\xa2\x1b\xb3\x93\t\x10lar՜\x992\xaf}\x83V\xa9\xff\xfe,U\x19%\xe7\xfbvۚ\xb2\xfe\xaeH@=Q\xabX\x17\u007f\xb0\xf4\xc9\f3\x02\x84\x80\x8b\xac\x86\x97C\f\xe8)\xf7f\x1e\u05cdy\xd0|p\x936\xe5\xe3\xb9u\xf3\x01̋"
+)
+
+var (
+	defaultTestStruct = testStruct{
+		BoolVal:   true,
+		IntVal:    1,
+		FloatVal:  0.42,
+		StringVal: "testing",
+	}
+)
+
+func getImplementation() *aes128encryption {
+	return NewAES128EncryptionProvider().(*aes128encryption)
+}
+
+func Test_GetCrypter(t *testing.T) {
+	t.Parallel()
+	e := getImplementation()
+	var err error
+	if _, err = e.getCrypter(); err != nil {
+		t.Error("unexpected error in default crypter-generation")
+	}
+
+	e.encryptionKey = e.encryptionKey[:len(e.encryptionKey)-1]
+	if _, err = e.getCrypter(); err == nil {
+		t.Error("expected error in crypter-generation for bad length hex-encoded key did not occur")
+	}
+
+	e.encryptionKey = e.encryptionKey[:len(e.encryptionKey)-1]
+	if _, err = e.getCrypter(); err == nil {
+		t.Error("expected error in crypter-generation for bad key size did not occur")
+	}
+}
+
+func Test_SetEncryptionKey(t *testing.T) {
+	t.Parallel()
+	e := getImplementation()
+	binaryKey := append([]byte{}, e.encryptionKey...)
+	e.SetEncryptionKey(binaryKey)
+	if !strings.EqualFold(defaultEncryptionKey, hex.EncodeToString(e.encryptionKey)) {
+		t.Error("Test_SetEncryptionKey: test case 1: encryption key should not have changed")
+	}
+
+	binaryKey[4] = 42
+	binaryKey[5] = 42
+	binaryKey[6] = 42
+	e.SetEncryptionKey(binaryKey)
+	if strings.EqualFold(defaultEncryptionKey, hex.EncodeToString(e.encryptionKey)) {
+		t.Error("Test_SetEncryptionKey: test case 2: encryption key was not changed")
+	}
+
+	binaryKey = append(binaryKey, binaryKey...)
+	e.SetEncryptionKey(binaryKey)
+	if strings.EqualFold(defaultEncryptionKey, hex.EncodeToString(e.encryptionKey)) {
+		t.Error("Test_SetEncryptionKey: test case 3: encryption key was not changed")
+	}
+
+	binaryKey = binaryKey[:3]
+	e.SetEncryptionKey(binaryKey)
+	if strings.EqualFold(defaultEncryptionKey, hex.EncodeToString(e.encryptionKey)) {
+		t.Error("Test_SetEncryptionKey: test case 4: encryption key was not changed")
+	}
+
+	e.SetEncryptionKey(nil)
+	if !strings.EqualFold(defaultEncryptionKey, hex.EncodeToString(e.encryptionKey)) {
+		t.Error("Test_SetEncryptionKey: test case 5: encryption key was not reset to default")
+	}
+}
+
+func randomByteArray() []byte {
+	len := rand.Intn(32)
+	result := make([]byte, 0)
+	for i := 0; i < len; i++ {
+		result = append(result, byte(rand.Intn(256)))
+	}
+	return result
+}
+
+func Fuzz_SetContext(f *testing.F) {
+	testCases := [][]byte{
+		nil,
+		{},
+		{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11},
+		{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12},
+		{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16},
+		{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17},
+	}
+	for i := 0; i < 5; i++ {
+		testCases = append(testCases, randomByteArray())
+	}
+	for _, tc := range testCases {
+		f.Add(tc)
+	}
+	f.Fuzz(func(t *testing.T, a []byte) {
+		t.Parallel()
+		e := NewAES128EncryptionProvider()
+		result := e.SetContext(a)
+		if 12 > len(a) || len(a) > 16 {
+			if result == nil {
+				t.Errorf("got no error for %v", a)
+			}
+		} else if result != nil {
+			t.Errorf("got an error for %v", a)
+		}
+
+		if e.SetContext(defaultContext) != nil {
+			t.Error("unable to reset context")
+		}
+	})
+}
+
+func Test_Encrypt(t *testing.T) {
+	t.Parallel()
+	e := getImplementation()
+	binary := []byte(defaultTestStructJSON)
+	blank := make([]byte, len(binary))
+	if encrypted, err := e.Encrypt(binary); err != nil {
+		t.Error("unexpected error in default encryption")
+	} else if !bytes.Equal(encrypted, []byte(defaultTestStructEncrypted)) {
+		t.Error("unexpected data for encrypted content")
+	} else if !bytes.Equal(binary, blank) {
+		t.Error("binary has not been blanked out")
+	}
+}
+
+func Test_Decrypt(t *testing.T) {
+	t.Parallel()
+	e := getImplementation()
+	if decrypted, err := e.Decrypt([]byte(defaultTestStructEncrypted)); err != nil {
+		t.Error("unexpected error in default decryption")
+	} else if !bytes.Equal(decrypted, []byte(defaultTestStructJSON)) {
+		t.Error("unexpected data for decrypted content")
+	}
+
+	if _, err := e.Decrypt([]byte(contextTestStructEncrypted)); err == nil {
+		t.Error("expected context error did not occur")
+	}
+
+	if _, err := e.Decrypt([]byte(contextTestStructEncrypted)[:11]); err == nil {
+		t.Error("expected length error did not occur")
+	}
+}
+
+func Test_EncryptData(t *testing.T) {
+	t.Parallel()
+	e := NewAES128EncryptionProvider()
+	if encrypted, err := e.EncryptData(defaultTestStruct); err != nil {
+		t.Error("unexpected error in default data encryption")
+	} else if !bytes.Equal(encrypted, []byte(defaultTestStructEncrypted)) {
+		t.Error("unexpected data for encrypted content")
+	}
+}
+
+func Test_DecryptData(t *testing.T) {
+	t.Parallel()
+	e := NewAES128EncryptionProvider()
+	target := &testStruct{}
+	if err := e.DecryptData([]byte(defaultTestStructEncrypted), target); err != nil {
+		t.Error("unexpected error in default data decryption")
+	} else if target.BoolVal != defaultTestStruct.BoolVal ||
+		target.FloatVal != defaultTestStruct.FloatVal ||
+		target.IntVal != defaultTestStruct.IntVal ||
+		target.StringVal != defaultTestStruct.StringVal {
+		t.Error("retrieved struct does not match the expectations")
+	}
+}
+
+func getTestFilePath(encrypt bool) string {
+	fileName := "encryption_test_encrypted.data"
+	if !encrypt {
+		fileName = "encryption_test_decryptable.data"
+	}
+	return filepath.Join(os.Getenv("temp"), fileName)
+}
+
+func Test_EncryptToFile(t *testing.T) {
+	t.Parallel()
+	e := NewAES128EncryptionProvider()
+	targetPath := getTestFilePath(true)
+	if err := e.EncryptToFile(defaultTestStruct, targetPath); err != nil {
+		t.Error("unexpected error in default encryption")
+	} else if encrypted, errRead := os.ReadFile(targetPath); errRead == nil {
+		os.Remove(targetPath)
+		if !bytes.Equal(encrypted, []byte(defaultTestStructEncrypted)) {
+			t.Error("unexpected data for encrypted content")
+		}
+	} else {
+		t.Errorf("expected file could not be read: %s", errRead)
+		if !os.IsNotExist(errRead) {
+			os.Remove(targetPath)
+		}
+	}
+}
+
+func Test_DecryptFile(t *testing.T) {
+	t.Parallel()
+	sourcePath := getTestFilePath(false)
+	if os.WriteFile(sourcePath, []byte(defaultTestStructEncrypted), os.ModePerm) == nil {
+		target := &testStruct{}
+		e := NewAES128EncryptionProvider()
+		if err := e.DecryptFile(sourcePath, target); err != nil {
+			t.Error("unexpected error in default decryption")
+		} else if target.BoolVal != defaultTestStruct.BoolVal ||
+			target.FloatVal != defaultTestStruct.FloatVal ||
+			target.IntVal != defaultTestStruct.IntVal ||
+			target.StringVal != defaultTestStruct.StringVal {
+			t.Error("retrieved struct does not match the expectations")
+		}
+		os.Remove(sourcePath)
+	} else {
+		t.Error("could not prepare test file for decryption")
+	}
+}

private.go

@@ -0,0 +1,11 @@
+package go_encryption
+
+const (
+	// defaultEncryptionKey is the (randomly chosen) default private encryption key.
+	defaultEncryptionKey = "315C63352A0134453159B3352401F445FA596335240134B5315963D524013445"
+)
+
+var (
+	// defaultContext represents the nonce as used during de-/encryption and must be between 12 and 16 bytes long
+	defaultContext = []byte("SaRociSolutions")
+)