Segurança on Cesar Gimenes

Encryption at rest with Go's stdlib

crg@crg.eti.br (Cesar Gimenes) — Sun, 31 May 2026 00:38:32 -0300

I want to store a piece of data on disk so that, even if the file leaks, it is only readable with the password and any tampering is detected.

To do this we protect the data by encrypting it “at rest”, which basically means the data is protected while it sits on disk and can only be accessed by whoever has the right password.

You can do this with the standard library alone:

Capturing Passwords in the Terminal with Go

crg@crg.eti.br (Cesar Gimenes) — Sat, 30 May 2026 10:00:00 -0300

Reading a password in the terminal looks trivial, but it has two pitfalls: the password shows up on screen if you use ordinary input, and you need to make sure you’re really dealing with a terminal and not a redirection. Let’s solve both with the golang.org/x/term package.

If you read with bufio.Scanner or fmt.Scanln, every keystroke shows up on screen. That won’t do for a password. term.ReadPassword reads straight from the terminal, without echo:

Data Transmission Using Sound: An Experiment with a 'Cup Telephone'

crg@crg.eti.br (Cesar Gimenes) — Sat, 25 Jan 2025 21:58:10 -0300

When I started playing with computers, the only way to load a program into the machine was to type it from scratch. My old computer had no storage; there was no hard drive, floppy disk, or any other way to store data. At startup, the machine loaded BASIC straight from ROM and that was it. Eventually I got a tape recorder, but it was terrible. With no money for a recorder made for computers, I used a household one. It took a long time adjusting the volume and other settings before I could load anything. The equipment was so finicky that I taped the controls down to keep them from moving, because the slightest change would prevent loading.

Optimizing Message Integrity Checks with FNV-1a in Go

crg@crg.eti.br (Cesar Gimenes) — Sat, 18 Jan 2025 00:43:18 -0300

In the article HMAC (Hash-based Message Authentication Code), we saw how that technique ensures a message was not altered in transit and confirms the validity of the signature.

However, while secure, that process is slow and resource-intensive. When we only need to verify message integrity without validating a signature, we can use a faster hash function. For that, we will use the FNV-1a (Fowler-Noll-Vo) algorithm, known for its speed and low collision rate.

mTLS: Implementing Mutual Authentication Between Client and Server in Go

crg@crg.eti.br (Cesar Gimenes) — Sat, 11 Jan 2025 19:49:40 -0300

mTLS (Mutual TLS) authenticates both client and server. Each one presents a digital certificate signed by a trusted certificate authority. By controlling certificate issuance, you ensure that only authorized clients access your service. It also makes it easy to identify the client without needing an API Key or Token. I also recommend using an HMAC (Hash-based Message Authentication Code) header as an additional layer of security and message integrity.

Creating Certificates

In this example, I’ll create the certificates in a simple way for local testing. When deploying to production, be careful with the parameters you use. It’s important to include Subject Alternative Names (SANs), since relying on the CN (Common Name) alone is no longer recommended.

HMAC (Hash-based Message Authentication Code) in Golang

crg@crg.eti.br (Cesar Gimenes) — Fri, 10 Jan 2025 23:33:11 -0300

When building APIs, it’s a good idea to add an authentication header to guarantee message integrity. For example, when your server sends a request or a webhook, include an X-Signature header with an HMAC (Hash-based Message Authentication Code) signature.

To generate the HMAC signature, you use a secret key and the content to be signed, such as the request body, and send the signature in the header. It’s important to make clear exactly what is being signed. I’ve run into problems with clients who couldn’t validate the signature because they used the body parsed as JSON instead of the raw body received in the request.

Manipulating Special Permission Bits

crg@crg.eti.br (Cesar Gimenes) — Sat, 04 Jan 2025 00:36:51 -0300

In the article on Privilege Reduction in Programs, we used the sudo command to run a program with superuser privileges. However, it’s possible to do this without an external command.

For that, we use special file permissions known as the setuid bit and the setgid bit. These attributes allow files to be executed with the privileges of the owning user or group.

To set the setuid and setgid bits, we use the chmod command with the u+s and g+s options, respectively.

Dropping Privileges in Go Programs to Improve Security

crg@crg.eti.br (Cesar Gimenes) — Thu, 02 Jan 2025 22:43:45 -0300

A good practice for improving the security of a system is to drop a program’s execution privileges. Ideally, a program should run with the fewest privileges possible.

On UNIX-like systems, you can change the user and group a program runs as. Let’s walk through how to do that in Go.

Checking Whether the Program Is Running as Root

First, check whether the program is running as root. This matters because we’ll use system calls that require root privileges. (There are other ways to grant these privileges, but we’ll cover that in another article.)