Documentation ¶
Index ¶
- Constants
- type GCPCKMSSeal
- func (s *GCPCKMSSeal) Decrypt(_ context.Context, in *physical.EncryptedBlobInfo) ([]byte, error)
- func (s *GCPCKMSSeal) Encrypt(_ context.Context, plaintext []byte) (*physical.EncryptedBlobInfo, error)
- func (s *GCPCKMSSeal) Finalize(_ context.Context) error
- func (s *GCPCKMSSeal) Init(_ context.Context) error
- func (s *GCPCKMSSeal) KeyID() string
- func (s *GCPCKMSSeal) SealType() string
- func (s *GCPCKMSSeal) SetConfig(config map[string]string) (map[string]string, error)
- type GCPKMSMechanism
Constants ¶
const ( // General GCP values, follows TF naming conventions EnvGCPCKMSSealCredsPath = "GOOGLE_CREDENTIALS" EnvGCPCKMSSealProject = "GOOGLE_PROJECT" EnvGCPCKMSSealLocation = "GOOGLE_REGION" // CKMS-specific values EnvGCPCKMSSealKeyRing = "VAULT_GCPCKMS_SEAL_KEY_RING" EnvGCPCKMSSealCryptoKey = "VAULT_GCPCKMS_SEAL_CRYPTO_KEY" )
const ( // GCPKMSEncrypt is used to directly encrypt the data with KMS GCPKMSEncrypt = iota // GCPKMSEnvelopeAESGCMEncrypt is when a data encryption key is generatated and // the data is encrypted with AESGCM and the key is encrypted with KMS GCPKMSEnvelopeAESGCMEncrypt )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type GCPCKMSSeal ¶
type GCPCKMSSeal struct {
// contains filtered or unexported fields
}
func NewSeal ¶
func NewSeal(logger log.Logger) *GCPCKMSSeal
func (*GCPCKMSSeal) Decrypt ¶
func (s *GCPCKMSSeal) Decrypt(_ context.Context, in *physical.EncryptedBlobInfo) ([]byte, error)
Decrypt is used to decrypt the ciphertext.
func (*GCPCKMSSeal) Encrypt ¶
func (s *GCPCKMSSeal) Encrypt(_ context.Context, plaintext []byte) (*physical.EncryptedBlobInfo, error)
Encrypt is used to encrypt the master key using the the AWS CMK. This returns the ciphertext, and/or any errors from this call. This should be called after s.client has been instantiated.
func (*GCPCKMSSeal) Finalize ¶
func (s *GCPCKMSSeal) Finalize(_ context.Context) error
Finalize is called during shutdown. This is a no-op since GCPKMSSeal doesn't require any cleanup.
func (*GCPCKMSSeal) Init ¶
func (s *GCPCKMSSeal) Init(_ context.Context) error
Init is called during core.Initialize. No-op at the moment.
func (*GCPCKMSSeal) KeyID ¶
func (s *GCPCKMSSeal) KeyID() string
KeyID returns the last known key id.
func (*GCPCKMSSeal) SealType ¶
func (s *GCPCKMSSeal) SealType() string
SealType returns the seal type for this particular seal implementation.
func (*GCPCKMSSeal) SetConfig ¶
SetConfig sets the fields on the GCPCKMSSeal object based on values from the config parameter. Environment variables take precedence over values provided in the Vault configuration file (i.e. values in the `seal "gcpckms"` stanza).
Order of precedence for GCP credentials file: * GOOGLE_CREDENTIALS environment variable * `credentials` value from Value configuration file * GOOGLE_APPLICATION_CREDENTIALS (https://developers.google.com/identity/protocols/application-default-credentials)
type GCPKMSMechanism ¶
type GCPKMSMechanism uint32
GCPKMSMechanism is the method used to encrypt/decrypt in the autoseal