ecrypto

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 19, 2022 License: MPL-2.0 Imports: 6 Imported by: 23

Documentation

Overview

Package ecrypto provides convenience functions for cryptography inside an enclave.

Sealing

Sealing is the process of encrypting data with a key derived from the enclave and the CPU it is running on. Sealed data can only be decrypted by the same enclave and CPU. Use it to persist data to disk.

Use SealWithUniqueKey if the data should only be decryptable by the current enclave app version. Use SealWithProductKey if it should also be decryptable by future versions of the enclave app.

These functions perform AES-GCM encryption. If you need something else, use the seal functions of package enclave.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Decrypt

func Decrypt(ciphertext []byte, key []byte, additionalData []byte) ([]byte, error)

Decrypt decrypts a ciphertext produced by Encrypt.

The additionalData must match the value passed to Encrypt.

func Encrypt

func Encrypt(plaintext []byte, key []byte, additionalData []byte) ([]byte, error)

Encrypt encrypts a given plaintext with a supplied key using AES-GCM.

Optionally pass additionalData to be authenticated.

func SealWithProductKey

func SealWithProductKey(plaintext []byte, additionalData []byte) ([]byte, error)

SealWithProductKey encrypts a given plaintext with a key derived from the signer and product id of the enclave.

Optionally pass additionalData to be authenticated.

func SealWithUniqueKey

func SealWithUniqueKey(plaintext []byte, additionalData []byte) ([]byte, error)

SealWithUniqueKey encrypts a given plaintext with a key derived from a measurement of the enclave.

Optionally pass additionalData to be authenticated.

Ciphertexts can't be decrypted if the UniqueID of the enclave changes. If you want to be able to decrypt ciphertext across enclave versions, use SealWithProductKey.

func Unseal

func Unseal(ciphertext []byte, additionalData []byte) ([]byte, error)

Unseal decrypts a ciphertext produced by SealWithUniqueKey or SealWithProductKey.

The additionalData must match the value passed to Encrypt.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL