Documentation ¶
Overview ¶
Package keys contains various encryption KeyHandler implementations.
Index ¶
Constants ¶
const ( // TokenTypeKMS is KMS assisted encryption token. TokenTypeKMS = "sideroKMS" // TokenTypeTPM is TPM assisted encryption token. TokenTypeTPM = "talos-tpm2" )
Variables ¶
var ErrTokenInvalid = errors.New("invalid token")
ErrTokenInvalid is returned by the keys handler if the supplied token is not valid.
Functions ¶
This section is empty.
Types ¶
type Handler ¶
type Handler interface { NewKey(context.Context) (*encryption.Key, token.Token, error) GetKey(context.Context, token.Token) (*encryption.Key, error) Slot() int }
Handler manages key lifecycle.
func NewHandler ¶
func NewHandler(cfg config.EncryptionKey, options ...KeyOption) (Handler, error)
NewHandler key using provided config.
type KMSKeyHandler ¶
type KMSKeyHandler struct { KeyHandler // contains filtered or unexported fields }
KMSKeyHandler seals token using KMS service.
func NewKMSKeyHandler ¶
func NewKMSKeyHandler(key KeyHandler, kmsEndpoint string, getSystemInfo helpers.SystemInformationGetter) (*KMSKeyHandler, error)
NewKMSKeyHandler creates new KMSKeyHandler.
func (*KMSKeyHandler) GetKey ¶
func (h *KMSKeyHandler) GetKey(ctx context.Context, t token.Token) (*encryption.Key, error)
GetKey implements Handler interface.
func (*KMSKeyHandler) NewKey ¶
func (h *KMSKeyHandler) NewKey(ctx context.Context) (*encryption.Key, token.Token, error)
NewKey implements Handler interface.
type KMSToken ¶
type KMSToken struct {
SealedData []byte `json:"sealedData"`
}
KMSToken is the userdata stored in the partition token metadata.
type KeyHandler ¶
type KeyHandler struct {
// contains filtered or unexported fields
}
KeyHandler is the base class for all key handlers.
type KeyOption ¶
type KeyOption func(o *KeyOptions) error
KeyOption represents key option callback used in KeyHandler.GetKey func.
func WithPartitionLabel ¶
WithPartitionLabel passes the partition label to the key handler.
func WithSystemInformationGetter ¶
func WithSystemInformationGetter(getter helpers.SystemInformationGetter) KeyOption
WithSystemInformationGetter passes the node UUID to the key handler.
type KeyOptions ¶
type KeyOptions struct { PartitionLabel string GetSystemInformation helpers.SystemInformationGetter }
KeyOptions set of options to be used in KeyHandler.GetKey func.
func NewDefaultOptions ¶
func NewDefaultOptions(options []KeyOption) (*KeyOptions, error)
NewDefaultOptions creates new KeyOptions.
type NodeIDKeyHandler ¶
type NodeIDKeyHandler struct { KeyHandler // contains filtered or unexported fields }
NodeIDKeyHandler generates the key based on current node information and provided template string.
func NewNodeIDKeyHandler ¶
func NewNodeIDKeyHandler(key KeyHandler, partitionLabel string, systemInfoGetter helpers.SystemInformationGetter) *NodeIDKeyHandler
NewNodeIDKeyHandler creates new NodeIDKeyHandler.
func (*NodeIDKeyHandler) GetKey ¶
func (h *NodeIDKeyHandler) GetKey(ctx context.Context, _ token.Token) (*encryption.Key, error)
GetKey implements Handler interface.
func (*NodeIDKeyHandler) NewKey ¶
func (h *NodeIDKeyHandler) NewKey(ctx context.Context) (*encryption.Key, token.Token, error)
NewKey implements Handler interface.
type StaticKeyHandler ¶
type StaticKeyHandler struct { KeyHandler // contains filtered or unexported fields }
StaticKeyHandler just handles the static key value all the time.
func NewStaticKeyHandler ¶
func NewStaticKeyHandler(key KeyHandler, data []byte) *StaticKeyHandler
NewStaticKeyHandler creates new EphemeralKeyHandler.
func (*StaticKeyHandler) GetKey ¶
func (h *StaticKeyHandler) GetKey(context.Context, token.Token) (*encryption.Key, error)
GetKey implements Handler interface.
func (*StaticKeyHandler) NewKey ¶
func (h *StaticKeyHandler) NewKey(ctx context.Context) (*encryption.Key, token.Token, error)
NewKey implements Handler interface.
type TPMKeyHandler ¶
type TPMKeyHandler struct { KeyHandler // contains filtered or unexported fields }
TPMKeyHandler seals token using TPM.
func NewTPMKeyHandler ¶
func NewTPMKeyHandler(key KeyHandler, checkSecurebootOnEnroll bool) (*TPMKeyHandler, error)
NewTPMKeyHandler creates new TPMKeyHandler.
func (*TPMKeyHandler) GetKey ¶
func (h *TPMKeyHandler) GetKey(ctx context.Context, t token.Token) (*encryption.Key, error)
GetKey implements Handler interface.
func (*TPMKeyHandler) NewKey ¶
func (h *TPMKeyHandler) NewKey(ctx context.Context) (*encryption.Key, token.Token, error)
NewKey implements Handler interface.
type TPMToken ¶
type TPMToken struct { KeySlots []int `json:"keyslots"` SealedBlobPrivate []byte `json:"sealed_blob_private"` SealedBlobPublic []byte `json:"sealed_blob_public"` PCRs []int `json:"pcrs"` Alg string `json:"alg"` PolicyHash []byte `json:"policy_hash"` KeyName []byte `json:"key_name"` }
TPMToken is the userdata stored in the partition token metadata.