ecrypto

Documentation

Overview

Package ecrypto provides convenience functions for cryptography inside an enclave.

Sealing

Sealing is the process of encrypting data with a key derived from the enclave and the CPU it is running on. Sealed data can only be decrypted by the same enclave and CPU. Use it to persist data to disk.

Use SealWithUniqueKey if the data should only be decryptable by the current enclave app version. Use SealWithProductKey if it should also be decryptable by future versions of the enclave app.

These functions perform AES-GCM encryption. If you need something else, use the seal functions of package enclave.

Index

• func Decrypt(ciphertext []byte, key []byte) ([]byte, error)
• func Encrypt(plaintext []byte, key []byte) ([]byte, error)
• func SealWithProductKey(plaintext []byte) ([]byte, error)
• func SealWithUniqueKey(plaintext []byte) ([]byte, error)
• func Unseal(ciphertext []byte) ([]byte, error)

Functions

func Decrypt

func Decrypt(ciphertext []byte, key []byte) ([]byte, error)

Decrypt decrypts a ciphertext produced by Encrypt.

func Encrypt

func Encrypt(plaintext []byte, key []byte) ([]byte, error)

Encrypt encrypts a given plaintext with a supplied key using AES-GCM.

func SealWithProductKey

func SealWithProductKey(plaintext []byte) ([]byte, error)

SealWithProductKey encrypts a given plaintext with a key derived from the signer and product id of the enclave.

func SealWithUniqueKey

func SealWithUniqueKey(plaintext []byte) ([]byte, error)

SealWithUniqueKey encrypts a given plaintext with a key derived from a measurement of the enclave.

Ciphertexts can't be decrypted if the UniqueID of the enclave changes. If you want to be able to decrypt ciphertext across enclave versions, use SealWithProductKey.

func Unseal

func Unseal(ciphertext []byte) ([]byte, error)

Unseal decrypts a ciphertext produced by SealWithUniqueKey or SealWithProductKey.