Documentation ¶
Overview ¶
Package kms implements a client to AWS KMS.
Example ¶
Here is how to use this package:
client := kms.DefaultClient() // uses default AWS credentials locations kms.GenerateDataKey(client, kmsKeyID, encryptionContext) => kms.DataKey{Ciphertext: "abcd...", Plaintext: "foo..."} kms.DecryptDataKey(client, key.Ciphertext, encryptionContext) => kms.DataKey{Ciphertext: "abcd...", Plaintext: "foo..."}
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Client ¶
type Client interface { GenerateDataKey(*kms.GenerateDataKeyInput) (*kms.GenerateDataKeyOutput, error) Decrypt(*kms.DecryptInput) (*kms.DecryptOutput, error) }
Client is the interface that is implemented by kms.KMS.
func DefaultClient ¶
DefaultClient creates a new AWS session (reads credentials and settings from the environment), and returns a ready-to-use KMS instance.
type DataKey ¶
type DataKey struct { Ciphertext []byte Plaintext []byte // contains filtered or unexported fields }
DataKey is a structure used to hold the ciphertext and plaintext of a generated KMS data key.
func DecryptDataKey ¶
func DecryptDataKey(client Client, ciphertext []byte, encryptionContext map[string]*string) (DataKey, error)
DecryptDataKey takes an encrypted data key and associated encryptionContext, and returns the key plaintext (along with the ciphertext for consistency).
func GenerateDataKey ¶
func GenerateDataKey(client Client, kmsKeyID string, encryptionContext map[string]*string) (DataKey, error)
GenerateDataKey creates a encryption key that can be use to locally encrypt data. The key length is 256 bits. It returns both the plaintext of the key for immediate use, and it's encrypted version using the KMS master key for storage.
An encryptionContext can be given as key-value pairs. These are stored with the key, logged through AWS CloudTrail (if enabled), and must be provided as is for each future use of the data key.