sdk

package module

v0.4.0 Latest Latest Go to latest Published: Mar 21, 2024 License: Apache-2.0 Imports: 0 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/chainifynet/aws-encryption-sdk-go

Links

Open Source Insights

README ¶

AWS Encryption SDK for Go

This project is an implementation of the AWS Encryption SDK for the Go programming language, providing a set of libraries for developers to easily add encryption and decryption functionality to their Go applications. This implementation is inspired by the aws-encryption-sdk-python and follows the AWS Encryption SDK specification closely.

Motivation

The motivation behind this project was the absence of a Go implementation of the AWS Encryption SDK. This SDK aims to fill that gap, offering Go developers the tools to implement encryption according to AWS standards.

Features

Support for Message Format Version 1 and 2 and related algorithms.
AWS KMS Master Key Provider with a discovery filter.
AWS KMS Multi-Region Keys using MRK-aware provider in Discovery or Strict mode.
Raw Master Key provider using static keys.
Comprehensive end-to-end tests ensuring compatibility with aws-encryption-sdk-cli.
100% code coverage with tests.

Current Limitations

Does not support the Caching Materials Manager feature yet.
Does not support KMS aliases at this stage.
Raw Master Key provider does not support RSA encryption.
Only framed content type is supported.

Requirements

Go v1.20 or later.
AWS SDK for Go v2

Installation

To install the AWS Encryption SDK for Go, use the following command:

$ go get github.com/chainifynet/aws-encryption-sdk-go@latest

Usage

This SDK provides a straightforward interface for encrypting and decrypting data.

For advanced use cases, check examples.

Setting Up the Client

First, set up the client with the necessary configuration.

Default Client Configuration

import (
	"github.com/chainifynet/aws-encryption-sdk-go/client"
	"github.com/chainifynet/aws-encryption-sdk-go/clientconfig"
	"github.com/chainifynet/aws-encryption-sdk-go/materials"
	"github.com/chainifynet/aws-encryption-sdk-go/providers/kmsprovider"
	"github.com/chainifynet/aws-encryption-sdk-go/providers/rawprovider"
	"github.com/chainifynet/aws-encryption-sdk-go/suite"
)

// setup Encryption SDK client with default config
sdkClient := client.NewClient()

Custom Client Configuration (advanced)

You can specify the commitment policy and the limit of maximum encrypted data keys.

// setup Encryption SDK client with custom client config
cfg, err := clientconfig.NewConfigWithOpts(
	clientconfig.WithCommitmentPolicy(suite.CommitmentPolicyRequireEncryptRequireDecrypt),
	clientconfig.WithMaxEncryptedDataKeys(3),
)
if err != nil {
	panic(err) // handle error
}

// setup Encryption SDK client with a custom config
sdkClient := client.NewClientWithConfig(cfg)

Prepare the Key Provider

Raw Key Provider using static keys

rawKeyProvider, err := rawprovider.NewWithOpts(
	"raw",
	providers.WithStaticKey("static1", []byte("superSecureKeySecureKey32bytes32")),
)
if err != nil {
	panic("raw key provider setup failed") // handle error
}

KMS Key Provider using KMS CMKs

You can optionally enable discovery or specify a discovery filter.

// KMS key ARN to be used for encryption and decryption
kmsKeyArn := "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"

// setup KMS key provider
kmsKeyProvider, err := kmsprovider.New(kmsKeyArn)
if err != nil {
	panic("kms key provider setup failed") // handle error
}

Create the Crypto Materials Manager

You can use either the KMS Key Provider, Raw Key Provider, or both combining them.

Crypto Materials Manager with the Raw Key Provider

cmm, err := materials.NewDefault(rawKeyProvider)
if err != nil {
	panic("materials manager setup failed") // handle error
}

Crypto Materials Manager with KMS Key Provider

cmm, err := materials.NewDefault(kmsKeyProvider)
if err != nil {
	panic("materials manager setup failed") // handle error
}

Crypto Materials Manager using both KMS and Raw Key Providers

cmm, err := materials.NewDefault(kmsKeyProvider, rawKeyProvider)
if err != nil {
	panic("materials manager setup failed") // handle error
}

Encrypting Data

To encrypt data, call the Encrypt method on the client.

// define the encryption context, which is a set of key-value pairs that represent additional authenticated data
encryptionContext := map[string]string{
	"purpose": "test",
}

// data to encrypt
secretData := []byte("secret data to encrypt")

// encrypt data
ciphertext, header, err := sdkClient.Encrypt(
	context.TODO(),
	secretData,
	encryptionContext,
	cmm,
)
if err != nil {
    panic("encryption failed") // handle error
}

Decrypting Data

To decrypt data, use the Decrypt method on the client.

// decrypt data
plaintext, header, err := sdkClient.Decrypt(context.TODO(), ciphertext, cmm)
if err != nil {
	panic("decryption failed") // handle error
}

TODO

Add support for Caching Materials Manager.
Add support for Message Format Version 1 #170.
Add support for AWS KMS Multi-Region Keys #46.
Add support for KMS aliases.
Cover providers package with tests.
Cover keys package with tests.
Cover materials package with tests.
GoDoc documentation #294.
Streamlined encryption and decryption.

Support and Contributions

If you encounter any issues or would like to contribute to the project, please submit an issue or pull request on GitHub.

License

This SDK is licensed under the Apache License 2.0. See the LICENSE file for details.

For more information on how to use this SDK, please refer to the example directory and the detailed API reference in the documentation.

Stay tuned for further updates and features. Contributions and feedback are welcome!

Documentation ¶

Overview ¶

Package sdk is the Unofficial Go SDK implementation of the AWS Encryption SDK.

Getting started ¶

To install the AWS Encryption SDK for Go, use the following command:

go get github.com/chainifynet/aws-encryption-sdk-go@latest

Usage ¶

The following example demonstrates how to use SDK to encrypt and decrypt data using a static key.

package main

import (
	"context"
	"fmt"

	"github.com/chainifynet/aws-encryption-sdk-go/pkg/client"
	"github.com/chainifynet/aws-encryption-sdk-go/pkg/materials"
	"github.com/chainifynet/aws-encryption-sdk-go/pkg/providers/rawprovider"
)

func main() {
	// static key to use for encryption and decryption
	staticKey1 := []byte("superSecureKeySecureKey32bytes32")

	// data to encrypt
	secretData := []byte("secret data to encrypt")

	// setup Encryption SDK client with default configuration
	sdkClient := client.NewClient()

	// setup Raw Key provider
	rawKeyProvider, err := rawprovider.NewWithOpts(
		"raw",
		rawprovider.WithStaticKey("static1", staticKey1),
	)
	if err != nil {
		panic(err) // handle error
	}

	// setup crypto materials manager
	cmm, err := materials.NewDefault(rawKeyProvider)
	if err != nil {
		panic(err) // handle error
	}

	// encrypt data without encryption context passing nil as the third argument
	encrypted, header, err := sdkClient.Encrypt(context.TODO(), secretData, nil, cmm)
	if err != nil {
		panic(err) // handle error
	}

	fmt.Printf("encrypted encryption context: %v\n", header.AADData().EncryptionContext())

	// decrypt "encrypted" data
	decrypted, _, err := sdkClient.Decrypt(context.TODO(), encrypted, cmm)
	if err != nil {
		panic(err) // handle error
	}

	fmt.Printf("decrypted data: %s\n", decrypted)

	// verify that "decrypted" plaintext is identical to the original secret data
	if string(decrypted) != string(secretData) {
		panic("decrypted data does not match with the original data")
	}
}

Source Files ¶

View all Source files

doc.go

Directories ¶

Path	Synopsis
example
basicEncryption Module
customAwsKmsConfig Module
discoveryFilterKmsProvider Module
discoveryKmsProvider Module
mrkAwareKmsProvider Module
multipleKeyProvider Module
multipleKmsKey Module
oneKmsKey Module
oneKmsKeyUnsigned Module
pkg Package pkg provides the core SDK packages.	Package pkg provides the core SDK packages.
client Package client provides the entrypoint for using AWS Encryption SDK for Go.	Package client provides the entrypoint for using AWS Encryption SDK for Go.
clientconfig Package clientconfig provides a way to configure SDK client.	Package clientconfig provides a way to configure SDK client.
crypto Package crypto provides common errors and encryption configuration.	Package crypto provides common errors and encryption configuration.
internal/crypto/decrypter
internal/crypto/encrypter
internal/crypto/hasher Package hasher provides a Hasher interface for hashing data with a given elliptic.Curve.	Package hasher provides a Hasher interface for hashing data with a given elliptic.Curve.
internal/crypto/policy
internal/crypto/signature
internal/providers/common
internal/providers/keyprovider
internal/providers/kmsclient
internal/serialization
internal/serialization/wrappingkey
internal/utils/bodyaad
internal/utils/conv Package conv provides utilities for converting types to big endian and vice versa.	Package conv provides utilities for converting types to big endian and vice versa.
internal/utils/encryption Package encryption provides a way to encrypt and decrypt with AES-GCM.	Package encryption provides a way to encrypt and decrypt with AES-GCM.
internal/utils/itertools Package itertools provides a method to generate all combinations out of a given generic type array.	Package itertools provides a method to generate all combinations out of a given generic type array.
internal/utils/keyderivation Package keyderivation provides a set of functions for deriving cryptographic keys.	Package keyderivation provides a set of functions for deriving cryptographic keys.
internal/utils/rand
internal/utils/structs Package structs provides utility functions for working with structs.	Package structs provides utility functions for working with structs.
keys Package keys contains implementations of Master Keys and generic key errors.	Package keys contains implementations of Master Keys and generic key errors.
keys/kms Package kms contains KMS and KMS MRK Master Key implementations.	Package kms contains KMS and KMS MRK Master Key implementations.
keys/raw Package raw contains Raw Master Key implementation.	Package raw contains Raw Master Key implementation.
materials Package materials provides CryptoMaterialsManager implementations.	Package materials provides CryptoMaterialsManager implementations.
model Package model contains SDK data model.	Package model contains SDK data model.
model/format Package format provides set of interfaces for SDK message format.	Package format provides set of interfaces for SDK message format.
model/types Package types contains a basic types used in SDK.	Package types contains a basic types used in SDK.
providers Package providers contains a generic provider errors.	Package providers contains a generic provider errors.
providers/keyprovider Package keyprovider provides a way to create KeyProvider via alias.	Package keyprovider provides a way to create KeyProvider via alias.
providers/kmsprovider Package kmsprovider contains KMS Master Key Provider implementation.	Package kmsprovider contains KMS Master Key Provider implementation.
providers/rawprovider Package rawprovider contains Raw Master Key Provider implementation.	Package rawprovider contains Raw Master Key Provider implementation.
suite Package suite provides the algorithm suites.	Package suite provides the algorithm suites.
utils/arn Package arn provides a set of utilities for working with Amazon Resource Names (ARNs).	Package arn provides a set of utilities for working with Amazon Resource Names (ARNs).
test
e2e
e2e/logger
e2e/testutils

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL