Documentation ¶
Overview ¶
Package chefcrypto provides functions for encrypting and decrypting Chef encrypted data bag items.
This package does not fetch data from the Chef server.
When encrypting, data must be encoded in JSON (i.e. for a string "\"foo\"" not just "foo")
Example
package main import ( "fmt" "encoding/json" cc "github.com/bhoriuchi/go-chef-crypto" ) func main() { // generate a key for encryption key, _ := cc.NewSecretKey(512) secretData := "foo" // Encrypt some data databag, _ := cc.Encrypt(key, []byte(secretData), cc.VersionLatest) // marshal the data databagJSON, _ := json.MarshalIndent(databag, "", " ") // Decrypt the databag var value interface{} cc.Decrypt(key, []byte(databagJSON), &value) // Print the data fmt.Printf("Secret: %s", value.(string)) }
Index ¶
- Constants
- Variables
- func Decrypt(key, data []byte, target interface{}) error
- func IsEncryptedDataBagItem(data []byte) (bool, int, error)
- func NewSecretKey(length int) ([]byte, error)
- func NewSecretKeyBase64(length int) (*string, error)
- type EncryptedDataBagItem
- type EncryptedDataBagItemV1
- type EncryptedDataBagItemV2
- type EncryptedDataBagItemV3
Constants ¶
const ( // MinimumVersion is the minimum encryption version supported MinimumVersion = 1 // MaximumVersion is the maximum encryption version supported MaximumVersion = 3 // Version1 version 1 encrypted data bag item Version1 = 1 // Version2 version 2 encrypted data bag item Version2 = 2 // Version3 version 3 encrypted data bag item Version3 = 3 // VersionLatest latest version supported currently 3 VersionLatest = 3 )
const CipherV1 = "aes-256-cbc"
CipherV1 the v1 cipher used
const CipherV2 = "aes-256-cbc"
CipherV2 the v2 cipher used
const CipherV3 = "aes-256-gcm"
CipherV3 the v3 cipher used
Variables ¶
var ErrDecryptFailed = errors.New("failed to decrypt data bag")
ErrDecryptFailed decryption failed
var ErrInvalidSecretKey = errors.New("key must be a non-empty byte array")
ErrInvalidSecretKey invalid secret key
var ErrInvalidTarget = errors.New("target must be a non-nil pointer")
ErrInvalidTarget invalid target pointer
var ErrItemNotValid = errors.New("data is not an encrypted data bag item")
ErrItemNotValid invalid data bag
var ErrSignatureValidationFailed = errors.New("signature validation failed, an invalid secret key was most likely used")
ErrSignatureValidationFailed hmac validation failed
var ErrUnsupportedVersion = errors.New("unsupported encryption version")
ErrUnsupportedVersion unsupported encryption version
Functions ¶
func IsEncryptedDataBagItem ¶
IsEncryptedDataBagItem determines if the databag is encrypted and if so what version
func NewSecretKey ¶
NewSecretKey generates a new secret key of specified length
func NewSecretKeyBase64 ¶
NewSecretKeyBase64 generates a new secret key of specified length
Types ¶
type EncryptedDataBagItem ¶
type EncryptedDataBagItem interface { Decrypt(key []byte, target interface{}) error IsValid() bool GetVersion() int }
EncryptedDataBagItem item interface
type EncryptedDataBagItemV1 ¶
type EncryptedDataBagItemV1 struct { EncryptedData string `json:"encrypted_data"` IV string `json:"iv"` Version int `json:"version"` Cipher string `json:"cipher"` }
EncryptedDataBagItemV1 version 1 encrypted databag
func EncryptDataBagItemV1 ¶
func EncryptDataBagItemV1(key, jsonData []byte) (*EncryptedDataBagItemV1, error)
EncryptDataBagItemV1 encrypts a databag with the v1 specification
func (*EncryptedDataBagItemV1) Decrypt ¶
func (c *EncryptedDataBagItemV1) Decrypt(key []byte, target interface{}) error
Decrypt decrypts the v1 databag
func (*EncryptedDataBagItemV1) GetVersion ¶
func (c *EncryptedDataBagItemV1) GetVersion() int
GetVersion returns the databag version
func (*EncryptedDataBagItemV1) IsValid ¶
func (c *EncryptedDataBagItemV1) IsValid() bool
IsValid validates the encrypted databag
type EncryptedDataBagItemV2 ¶
type EncryptedDataBagItemV2 struct { EncryptedData string `json:"encrypted_data"` HMAC string `json:"hmac"` IV string `json:"iv"` Version int `json:"version"` Cipher string `json:"cipher"` }
EncryptedDataBagItemV2 version 2 encrypted databag
func EncryptDataBagItemV2 ¶
func EncryptDataBagItemV2(key, data []byte) (*EncryptedDataBagItemV2, error)
EncryptDataBagItemV2 encrypts a databag with the v2 specification
func (*EncryptedDataBagItemV2) Decrypt ¶
func (c *EncryptedDataBagItemV2) Decrypt(key []byte, target interface{}) error
Decrypt decrypts the v2 databag
func (*EncryptedDataBagItemV2) GetVersion ¶
func (c *EncryptedDataBagItemV2) GetVersion() int
GetVersion returns the databag version
func (*EncryptedDataBagItemV2) IsValid ¶
func (c *EncryptedDataBagItemV2) IsValid() bool
IsValid validates the encrypted databag
type EncryptedDataBagItemV3 ¶
type EncryptedDataBagItemV3 struct { EncryptedData string `json:"encrypted_data"` IV string `json:"iv"` AuthTag string `json:"auth_tag"` Version int `json:"version"` Cipher string `json:"cipher"` }
EncryptedDataBagItemV3 version 3 encrypted databag
func EncryptDataBagItemV3 ¶
func EncryptDataBagItemV3(key, jsonData []byte) (*EncryptedDataBagItemV3, error)
EncryptDataBagItemV3 encrypts a databag with the v1 specification
func (*EncryptedDataBagItemV3) Decrypt ¶
func (c *EncryptedDataBagItemV3) Decrypt(key []byte, target interface{}) error
Decrypt decrypts the v3 databag
func (*EncryptedDataBagItemV3) GetVersion ¶
func (c *EncryptedDataBagItemV3) GetVersion() int
GetVersion returns the databag version
func (*EncryptedDataBagItemV3) IsValid ¶
func (c *EncryptedDataBagItemV3) IsValid() bool
IsValid validates the encrypted databag