keys

package
v0.6.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 9, 2024 License: MPL-2.0 Imports: 21 Imported by: 0

Documentation

Overview

Package keys contains various encryption KeyHandler implementations.

Index

Constants

View Source
const (
	// TokenTypeKMS is KMS assisted encryption token.
	TokenTypeKMS = "sideroKMS"
	// TokenTypeTPM is TPM assisted encryption token.
	TokenTypeTPM = "talos-tpm2"
)

Variables

View Source
var ErrTokenInvalid = errors.New("invalid token")

ErrTokenInvalid is returned by the keys handler if the supplied token is not valid.

Functions

This section is empty.

Types

type Handler

type Handler interface {
	NewKey(context.Context) (*encryption.Key, token.Token, error)
	GetKey(context.Context, token.Token) (*encryption.Key, error)
	Slot() int
}

Handler manages key lifecycle.

func NewHandler

func NewHandler(cfg config.EncryptionKey, options ...KeyOption) (Handler, error)

NewHandler key using provided config.

type KMSKeyHandler

type KMSKeyHandler struct {
	KeyHandler
	// contains filtered or unexported fields
}

KMSKeyHandler seals token using KMS service.

func NewKMSKeyHandler

func NewKMSKeyHandler(key KeyHandler, kmsEndpoint string, getSystemInfo helpers.SystemInformationGetter) (*KMSKeyHandler, error)

NewKMSKeyHandler creates new KMSKeyHandler.

func (*KMSKeyHandler) GetKey

func (h *KMSKeyHandler) GetKey(ctx context.Context, t token.Token) (*encryption.Key, error)

GetKey implements Handler interface.

func (*KMSKeyHandler) NewKey

NewKey implements Handler interface.

type KMSToken

type KMSToken struct {
	SealedData []byte `json:"sealedData"`
}

KMSToken is the userdata stored in the partition token metadata.

type KeyHandler

type KeyHandler struct {
	// contains filtered or unexported fields
}

KeyHandler is the base class for all key handlers.

func (*KeyHandler) Slot

func (k *KeyHandler) Slot() int

Slot implements Handler interface.

type KeyOption

type KeyOption func(o *KeyOptions) error

KeyOption represents key option callback used in KeyHandler.GetKey func.

func WithPartitionLabel

func WithPartitionLabel(label string) KeyOption

WithPartitionLabel passes the partition label to the key handler.

func WithSystemInformationGetter

func WithSystemInformationGetter(getter helpers.SystemInformationGetter) KeyOption

WithSystemInformationGetter passes the node UUID to the key handler.

type KeyOptions

type KeyOptions struct {
	PartitionLabel       string
	GetSystemInformation helpers.SystemInformationGetter
}

KeyOptions set of options to be used in KeyHandler.GetKey func.

func NewDefaultOptions

func NewDefaultOptions(options []KeyOption) (*KeyOptions, error)

NewDefaultOptions creates new KeyOptions.

type NodeIDKeyHandler

type NodeIDKeyHandler struct {
	KeyHandler
	// contains filtered or unexported fields
}

NodeIDKeyHandler generates the key based on current node information and provided template string.

func NewNodeIDKeyHandler

func NewNodeIDKeyHandler(key KeyHandler, partitionLabel string, systemInfoGetter helpers.SystemInformationGetter) *NodeIDKeyHandler

NewNodeIDKeyHandler creates new NodeIDKeyHandler.

func (*NodeIDKeyHandler) GetKey

GetKey implements Handler interface.

func (*NodeIDKeyHandler) NewKey

NewKey implements Handler interface.

type StaticKeyHandler

type StaticKeyHandler struct {
	KeyHandler
	// contains filtered or unexported fields
}

StaticKeyHandler just handles the static key value all the time.

func NewStaticKeyHandler

func NewStaticKeyHandler(key KeyHandler, data []byte) *StaticKeyHandler

NewStaticKeyHandler creates new EphemeralKeyHandler.

func (*StaticKeyHandler) GetKey

GetKey implements Handler interface.

func (*StaticKeyHandler) NewKey

NewKey implements Handler interface.

type TPMKeyHandler

type TPMKeyHandler struct {
	KeyHandler
	// contains filtered or unexported fields
}

TPMKeyHandler seals token using TPM.

func NewTPMKeyHandler

func NewTPMKeyHandler(key KeyHandler, checkSecurebootOnEnroll bool) (*TPMKeyHandler, error)

NewTPMKeyHandler creates new TPMKeyHandler.

func (*TPMKeyHandler) GetKey

func (h *TPMKeyHandler) GetKey(ctx context.Context, t token.Token) (*encryption.Key, error)

GetKey implements Handler interface.

func (*TPMKeyHandler) NewKey

NewKey implements Handler interface.

type TPMToken

type TPMToken struct {
	KeySlots          []int  `json:"keyslots"`
	SealedBlobPrivate []byte `json:"sealed_blob_private"`
	SealedBlobPublic  []byte `json:"sealed_blob_public"`
	PCRs              []int  `json:"pcrs"`
	Alg               string `json:"alg"`
	PolicyHash        []byte `json:"policy_hash"`
	KeyName           []byte `json:"key_name"`
}

TPMToken is the userdata stored in the partition token metadata.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL