Secure Data Serialization for Go
XBin25 is a Go package designed for secure data serialization, combining state-of-the-art encryption, digital signatures, and multi-layer compression. It ensures confidentiality, integrity, and authenticity for sensitive data in transit or at rest.
- Military-Grade Encryption: AES-256-GCM encryption with unique per-message keys
- Secure Key Exchange: RSA-OAEP for AES key encryption (3072-bit or stronger)
- Tamper Evidence: RSA-PSS digital signatures for data authenticity
- Compression Layers: Parallelized zstd (inner) and pgzip (outer) compression
- Replay Protection: Configurable timestamp validity windows
- Memory Hardening: Sensitive keys guarded by
memguardagainst memory leaks - Modern Serialization: Efficient MessagePack encoding for structured data
go get github.com/nthnn/xbin25- Go 1.20+
memguard(secure memory)msgpack/v5(serialization)pgzip/zstd(compression)rsa/aes(crypto primitives)
import "github.com/nthnn/xbin25"
func main() {
// Initialize configuration
config := xbin25.NewConfig(
"encrypt-cert.pem", // RSA public key for encryption
"encrypt-key.pem", // RSA private key for decryption
"sign-cert.pem", // RSA public key for signature verification
"sign-key.pem", // RSA private key for signing
"user-auth-system", // Context label
30*time.Minute, // Max message age
1024*1024, // 1MB compression blocks
)
// Marshall sensitive data
data := map[string]interface{}{
"session_id": "7a4e3b1c-89f2-4d65-9128-cc9a4b1d0e7f",
"permissions": []string{"read:logs", "write:config"},
}
encryptedData, err := config.Marshall(data)
if err != nil {
panic(err)
}
// Unmarshall securely
decrypted, err := config.Unmarshall(encryptedData)
if err != nil {
panic(err)
}
restored := decrypted.(map[string]interface{})
}| Parameter | Description |
|---|---|
| EncryptCertFile | Path to PEM-encoded X.509 certificate with RSA public key for encryption |
| EncryptKeyFile | Path to PEM-encoded RSA private key for decryption |
| SignCertFile | Path to PEM-encoded X.509 certificate for signature verification |
| SignKeyFile | Path to PEM-encoded RSA private key for signing |
| BlockSize | Compression block size (typically 1MB-4MB) |
| Label | Auto-derived from label string (SHA-256 hash of provided label) |
| Duration | Maximum allowed message age (e.g., 30*time.Minute) |
- MessagePack serialization
- AES-256-GCM encryption with random key
- RSA-OAEP encryption of AES key
- zstd compression
- RSA-PSS signing
- Timestamp embedding
- pgzip outer compression
- pgzip decompression
- Timestamp validation
- RSA-PSS signature verification
- zstd decompression
- RSA-OAEP decryption
- AES-GCM decryption
- MessagePack deserialization
-
Key Management
- Use 4096-bit RSA keys minimum
- Store private keys in hardware security modules (HSMs) where possible
- Rotate signing keys quarterly
-
Operational Security
- Keep system clocks synchronized (NTP)
- Use unique labels for different data contexts
- Set conservative duration windows (15-60 minutes)
-
Performance Tuning
- Adjust BlockSize based on payload characteristics
- Balance between zstd compression level and CPU usage
- Utilize hardware-accelerated AES (AES-NI)
Apache 2.0 - See LICENSE for details.
Copyright 2025 Nathanne Isip
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.