Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct { // Endpoints contains a list of KMS server // HTTP endpoints. Endpoints []string // DefaultKeyID is the key ID used when // no explicit key ID is specified for // a cryptographic operation. DefaultKeyID string // Certificate is the client TLS certificate // to authenticate to KMS via mTLS. Certificate *certs.Certificate // ReloadCertEvents is an event channel that receives // the reloaded client certificate. ReloadCertEvents <-chan tls.Certificate // RootCAs is a set of root CA certificates // to verify the KMS server TLS certificate. RootCAs *x509.CertPool }
Config contains various KMS-related configuration parameters - like KMS endpoints or authentication credentials.
type Context ¶
Context is a set of key-value pairs that are associated with a generate data encryption key (DEK).
A KMS implementation may bind the context to the generated DEK such that the same context must be provided when decrypting an encrypted DEK.
func (Context) MarshalText ¶
MarshalText sorts the context keys and writes the sorted key-value pairs as canonical JSON object. The sort order is based on the un-escaped keys. It never returns an error.
type DEK ¶
DEK is a data encryption key. It consists of a plaintext-ciphertext pair and the ID of the key used to generate the ciphertext.
The plaintext can be used for cryptographic operations - like encrypting some data. The ciphertext is the encrypted version of the plaintext data and can be stored on untrusted storage.
func (DEK) MarshalText ¶
MarshalText encodes the DEK's key ID and ciphertext as JSON.
func (*DEK) UnmarshalText ¶
UnmarshalText tries to decode text as JSON representation of a DEK and sets DEK's key ID and ciphertext to the decoded values.
It sets DEK's plaintext to nil.
type IdentityManager ¶
type IdentityManager interface { // DescribeIdentity describes an identity by returning its metadata. // e.g. which policy is currently assigned and whether its an admin identity. DescribeIdentity(ctx context.Context, identity string) (*kes.IdentityInfo, error) // DescribeSelfIdentity describes the identity issuing the request. // It infers the identity from the TLS client certificate used to authenticate. // It returns the identity and policy information for the client identity. DescribeSelfIdentity(ctx context.Context) (*kes.IdentityInfo, *kes.Policy, error) // DeleteIdentity deletes an identity from KMS. // The client certificate that corresponds to the identity is no longer authorized to perform any API operations. // The admin identity cannot be deleted. DeleteIdentity(ctx context.Context, identity string) error // ListIdentities list all identity metadata that match the specified pattern. // In particular, the pattern * lists all identity metadata. ListIdentities(ctx context.Context, pattern string) (*kes.IdentityIterator, error) }
IdentityManager is the generic interface that handles KMS identity operations
type KMS ¶
type KMS interface { // Stat returns the current KMS status. Stat(cxt context.Context) (Status, error) // Metrics returns a KMS metric snapshot. Metrics(ctx context.Context) (kes.Metric, error) // CreateKey creates a new key at the KMS with the given key ID. CreateKey(ctx context.Context, keyID string) error // GenerateKey generates a new data encryption key using the // key referenced by the key ID. // // The KMS may use a default key if the key ID is empty. // GenerateKey returns an error if the referenced key does // not exist. // // The context is associated and tied to the generated DEK. // The same context must be provided when the generated key // should be decrypted. Therefore, it is the callers // responsibility to remember the corresponding context for // a particular DEK. The context may be nil. GenerateKey(ctx context.Context, keyID string, context Context) (DEK, error) // DecryptKey decrypts the ciphertext with the key referenced // by the key ID. The context must match the context value // used to generate the ciphertext. DecryptKey(keyID string, ciphertext []byte, context Context) ([]byte, error) // DecryptAll decrypts all ciphertexts with the key referenced // by the key ID. The contexts must match the context value // used to generate the ciphertexts. DecryptAll(ctx context.Context, keyID string, ciphertext [][]byte, context []Context) ([][]byte, error) }
KMS is the generic interface that abstracts over different KMS implementations.
func NewWithConfig ¶
NewWithConfig returns a new KMS using the given configuration.
type KeyManager ¶
type KeyManager interface { // CreateKey creates a new key at the KMS with the given key ID. CreateKey(ctx context.Context, keyID string) error // DeleteKey deletes a key at the KMS with the given key ID. // Please note that is a dangerous operation. // Once a key has been deleted all data that has been encrypted with it cannot be decrypted // anymore, and therefore, is lost. DeleteKey(ctx context.Context, keyID string) error // ListKeys List all key names that match the specified pattern. In particular, // the pattern * lists all keys. ListKeys(ctx context.Context, pattern string) (*kes.KeyIterator, error) // ImportKey imports a cryptographic key into the KMS. ImportKey(ctx context.Context, keyID string, bytes []byte) error // EncryptKey Encrypts and authenticates a (small) plaintext with the cryptographic key // The plaintext must not exceed 1 MB EncryptKey(keyID string, plaintext []byte, context Context) ([]byte, error) }
KeyManager is the generic interface that handles KMS key operations
type PolicyManager ¶
type PolicyManager interface { // DescribePolicy describes a policy by returning its metadata. // e.g. who created the policy at which point in time. DescribePolicy(ctx context.Context, policy string) (*kes.PolicyInfo, error) // AssignPolicy assigns a policy to an identity. // An identity can have at most one policy while the same policy can be assigned to multiple identities. // The assigned policy defines which API calls this identity can perform. // It's not possible to assign a policy to the admin identity. // Further, an identity cannot assign a policy to itself. AssignPolicy(ctx context.Context, policy, identity string) error // SetPolicy creates or updates a policy. SetPolicy(ctx context.Context, policy string, policyItem *kes.Policy) error // GetPolicy gets a policy from KMS. GetPolicy(ctx context.Context, policy string) (*kes.Policy, error) // ListPolicies list all policy metadata that match the specified pattern. // In particular, the pattern * lists all policy metadata. ListPolicies(ctx context.Context, pattern string) (*kes.PolicyIterator, error) // DeletePolicy deletes a policy from KMS. // All identities that have been assigned to this policy will lose all authorization privileges. DeletePolicy(ctx context.Context, policy string) error }
PolicyManager is the generic interface that handles KMS policy] operations
type Status ¶
type Status struct { Name string // The name of the KMS Endpoints []string // A set of the KMS endpoints // DefaultKey is the key used when no explicit key ID // is specified. It is empty if the KMS does not support // a default key. DefaultKey string }
Status describes the current state of a KMS.
type StatusManager ¶
type StatusManager interface { // Version retrieves version information Version(ctx context.Context) (string, error) // APIs retrieves a list of supported API endpoints APIs(ctx context.Context) ([]kes.API, error) }
StatusManager is the generic interface that handles KMS status operations