Documentation
¶
Index ¶
- Constants
- Variables
- func Decrypt(key [KeyLength]byte, encrypted []byte) ([]byte, error)
- func Encrypt(key [KeyLength]byte, data []byte) ([]byte, error)
- func GenerateKey() ([KeyLength]byte, error)
- type AzureKMS
- type EncryptionCodec
- type KMS
- type KeyURL
- type KeyURLType
- type LocalKMS
- type SecretBoxCodec
Constants ¶
const ( NonceLength = 24 KeyLength = 32 )
Variables ¶
var ( KMSDecryptCause = errors.NewCause(errors.BadRequestCategory, "kms_decrypt") SecretBoxDecryptCause = errors.NewCause(errors.BadRequestCategory, "secret_box_decrypt") InvalidKeyURLCause = errors.NewCause(errors.BadRequestCategory, "invalid_key_url") )
Functions ¶
func GenerateKey ¶
Types ¶
type AzureKMS ¶
type AzureKMS struct {
// contains filtered or unexported fields
}
func NewAzureKMS ¶
func (*AzureKMS) EncryptedKeyLength ¶
type EncryptionCodec ¶
type EncryptionCodec interface {
Encrypt(context.Context, *base64.Value) (*base64.Value, error)
Decrypt(context.Context, *base64.Value) (*base64.Value, error)
}
EncryptionCodec represents a way to encrypt binary data with a symmetric key. SecretBoxCodec can be used as an example implementation
type KMS ¶
type KMS interface {
Open(context.Context) error
Encrypt(context.Context, []byte) ([]byte, error)
Decrypt(context.Context, []byte) ([]byte, error)
EncryptedKeyLength() int
Close() error
}
KMS intends to be an abstract interface over a Key Management System which generally is used to wrap DEKs using a key encryption key (KEK).
type KeyURL ¶
KeyURL contains a url for a key Used for data encryption and mostly intended to be used with gocloud secrets and related utilities
func KeyURLFromURL ¶
KeyURLFromURL returns a KeyURL from a net/url.URL
func NewBase64KeyURL ¶
NewBase64KeyURL generates a KeyURL for you if key is nil. Otherwise key must be KeyLength long.
func (*KeyURL) MarshalJSON ¶
MarshalJSON implements the JSON.Marshaller interface
func (*KeyURL) Type ¶
func (d *KeyURL) Type() KeyURLType
func (*KeyURL) UnmarshalJSON ¶
UnmarshalJSON implements the JSON.Unmarshaller interface
type KeyURLType ¶
type KeyURLType string
const ( Base64Key KeyURLType = "base64key" AzureKey KeyURLType = "azurekeyvault" )
func (KeyURLType) Validate ¶
func (k KeyURLType) Validate() error
type LocalKMS ¶
type LocalKMS struct {
// contains filtered or unexported fields
}
LocalKMS is a simple simulated KMS that has a single key which is then used to encrypt other keys. This should be able to be expanded to something that can handle rotating keys.
func NewLocalKMS ¶
func (*LocalKMS) Encrypt ¶
Encrypt encrypts the data encryption key (dek) returning the encrypted bytes. The result is appended to the nonce.
func (*LocalKMS) EncryptedKeyLength ¶
type SecretBoxCodec ¶
type SecretBoxCodec struct {
// contains filtered or unexported fields
}
SecretBoxCodec implements a envelope encryption scheme where it leverages data encryption keys (DEKs) and key encryption keys (KEKs) to safely encrypt the data and prevent leaking the keys. Here's a pretty good overview of envelope encryption: https://cloud.google.com/kms/docs/envelope-encryption See individual function comments for more information
func NewSecretBoxCodec ¶
func NewSecretBoxCodec(kms KMS) *SecretBoxCodec
func (*SecretBoxCodec) Decrypt ¶
func (s *SecretBoxCodec) Decrypt(ctx context.Context, data *base64.Value) (*base64.Value, error)
func (*SecretBoxCodec) Encrypt ¶
func (s *SecretBoxCodec) Encrypt(ctx context.Context, data *base64.Value) (*base64.Value, error)
Encrypt generates a random nonce and DEK which is then used to call secretbox.Seal. The result is appended to the nonce so the nonce can be used later to decrypt the data. The DEK is then encrypted and the result plus the nonce is appended to the wrapped DEK.
Source Files