gcpkms

package
v0.0.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 11, 2019 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Overview

Package gcpkms encrypts the message using Google Cloud KMS.

Only the recipient can decrypt the message using the corresponding private key. While the recipient can verify the integrity of the message, it cannot verify the identity of the sender.

Sender anonymously encrypts the message using a randomly generated data encryption key(DEK). DEK is encrypted via GCP KMS.

Both symmetric and asymmetric methods can be applied to encrypting DEKs.

XChaCha20-Poly1305 is used for AEAD. Additional data (AD) for the AEAD is the keyName used for encrypting the DEK. Additional data is used as salt. Key and nonce for XChaCha20-Poly1305 are generated via HKDF.

Additional data is concatenated with the resulting ciphertext. Encrypted DEK(EDEK) is stored alongside the encrypted message and concatenated with the ciphertext.

DEK is generated every time the encryption is called. Thus, a new DEK will be generated for the same plaintext every time the encryption is called.

Resulting message structure: 

[Header:1||Size(EDEK):2||EDEK||ciphertext]
EDEK - Encrypted data encryption key

Index

Constants

View Source 
const (
	// KeySize is the size, in bytes, of data encryption keys
	KeySize = 32
)

Variables

This section is empty.

Functions

func GetPublicKey 

func GetPublicKey(ctx context.Context, options Options) (*rsa.PublicKey, string, error)

GetPublicKey fetches and returns RSA public key from GCP KMS in both decoded and encoded forms.

func New 

func New(options Options) (crypto.EncryptDecrypter, error)

New returns a new instance of the crypto.EncryptDecrypter. If credentials is nil application default credentials will be used for authenticating.

func ParsePublicKey 

func ParsePublicKey(encoded string) (*rsa.PublicKey, error)

ParsePublicKey parses PEM formatted RSA public key

Types

type Options 

type Options struct {
	ProjectID        string
	LocationID       string
	KeyRingID        string
	CryptoKeyID      string
	CryptoKeyVersion int

	Credentials []byte
	PublicKey   *rsa.PublicKey

	Timeout time.Duration
}

Options defines all the parameters needed for encrypting and decrypting via GCP KMS.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.