How to Encrypt and Decrypt Data using Golang and AES

I've been exploring how to secure GET URLs without having to resort to sending authorization headers. So I thought of exploring of passing an encrypted api key in the URL itself. I did some research and what I think I need is a symmetrical way of encrypting and decrypting data. Meaning, I should be able to encrypt the data and send to the consumer and when the encrypted data is sent back to the server, I should be able to decrypt it. I did some research and found that the crypto aes package in the golang standard library will work for my requirements.

The first step is to generate a 32 byte key which we'll use to encrypt and decrypt data. https://golang.org/pkg/crypto/aes/#NewCipher

Since in real world applications, you need to save the key somewhere(like saving it to Hashicorp's Vault), I encoded the key to string for this purpose.

bytes := make([]byte, 32) //generate a random 32 byte key for AES-256
if _, err := rand.Read(bytes); err != nil {
	panic(err.Error())
}

key := hex.EncodeToString(bytes) //encode key in bytes to string for saving

Encryption

To encrypt data, we need the ff.:

  • key (32-bytes for AES-256 encryption)
  • nonce (a random no., only used only once)
  • data to encrypt - plaintext in this example

Since the key is in string, we need to convert decode it to bytes.

key, _ := hex.DecodeString(keyString)
plaintext := []byte(stringToEncrypt)

Create a new Cipher Block from the key.

block, err := aes.NewCipher(key)

Create a new GCM - https://en.wikipedia.org/wiki/Galois/Counter_Mode

aesGCM, err := cipher.NewGCM(block)

Create a nonce. Nonce should be from GCM.

nonce := make([]byte, aesGCM.NonceSize())

Encrypt the data using the GCM Seal function.

ciphertext := aesGCM.Seal(nonce, nonce, plaintext, nil)

Here's how the encrypt function looks like.

func encrypt(stringToEncrypt string, keyString string) (encryptedString string) {

	//Since the key is in string, we need to convert decode it to bytes
	key, _ := hex.DecodeString(keyString)
	plaintext := []byte(stringToEncrypt)

	//Create a new Cipher Block from the key
	block, err := aes.NewCipher(key)
	if err != nil {
		panic(err.Error())
	}

	//Create a new GCM - https://en.wikipedia.org/wiki/Galois/Counter_Mode
	//https://golang.org/pkg/crypto/cipher/#NewGCM
	aesGCM, err := cipher.NewGCM(block)
	if err != nil {
		panic(err.Error())
	}

	//Create a nonce. Nonce should be from GCM
	nonce := make([]byte, aesGCM.NonceSize())
	if _, err = io.ReadFull(rand.Reader, nonce); err != nil {
		panic(err.Error())
	}

	//Encrypt the data using aesGCM.Seal
	//Since we don't want to save the nonce somewhere else in this case, we add it as a prefix to the encrypted data. The first nonce argument in Seal is the prefix.
	ciphertext := aesGCM.Seal(nonce, nonce, plaintext, nil)
	return fmt.Sprintf("%x", ciphertext)
}


Decryption

To decrypt the encrypted data/cipher text, it's pretty similar.

Convert the key and encrypted data to bytes.

key, _ := hex.DecodeString(keyString)
enc, _ := hex.DecodeString(encryptedString)

Create a new Cipher Block from the key

block, err := aes.NewCipher(key)

Create a new GCM

aesGCM, err := cipher.NewGCM(block)

Get the nonce size and extract the nonce from the prefix of the encrypted data. This is a very important since you can't decrypt the data without the correct nonce.

nonceSize := aesGCM.NonceSize()
nonce, ciphertext := enc[:nonceSize], enc[nonceSize:]

Decrypt the data using the GCM Open function.

plaintext, err := aesGCM.Open(nil, nonce, ciphertext, nil)

Here's how the decrypt function looks like.

func decrypt(encryptedString string, keyString string) (decryptedString string) {

	key, _ := hex.DecodeString(keyString)
	enc, _ := hex.DecodeString(encryptedString)

	//Create a new Cipher Block from the key
	block, err := aes.NewCipher(key)
	if err != nil {
		panic(err.Error())
	}

	//Create a new GCM
	aesGCM, err := cipher.NewGCM(block)
	if err != nil {
		panic(err.Error())
	}

	//Get the nonce size
	nonceSize := aesGCM.NonceSize()

	//Extract the nonce from the encrypted data
	nonce, ciphertext := enc[:nonceSize], enc[nonceSize:]

	//Decrypt the data
	plaintext, err := aesGCM.Open(nil, nonce, ciphertext, nil)
	if err != nil {
		panic(err.Error())
	}

	return fmt.Sprintf("%s", plaintext)
}

Full source code
Here's the full source code. Check the main method to see how the encrypt/decrypt functions are used.

Some useful references
https://www.atpinc.com/blog/what-is-aes-256-encryption
https://en.wikipedia.org/wiki/Cryptographic_nonce
https://golang.org/pkg/crypto/aes
https://golang.org/pkg/crypto/cipher/

That's it!  Hope this useful to someone who would like to start doing cryptography using Golang.  Cheers!

You can reach me in LinkedIn, GitHub or Twitter @donvito