kms

Documentation

Index

• type AWSKMS
  • func NewAWS(crypto appencryption.AEAD, preferredRegion string, arnMap map[string]string) (*AWSKMS, error)
  • func (m *AWSKMS) DecryptKey(ctx context.Context, keyBytes []byte) ([]byte, error)
  • func (m *AWSKMS) EncryptKey(ctx context.Context, keyBytes []byte) ([]byte, error)
• type AWSKMSClient
• type KMS

Types

type AWSKMS

type AWSKMS struct {
	Crypto   appencryption.AEAD
	Clients  []AWSKMSClient
	Registry metrics.Registry
}

AWSKMS implements the KeyManagementService interface and handles encryption/decryption in KMS.

func NewAWS

func NewAWS(crypto appencryption.AEAD, preferredRegion string, arnMap map[string]string) (*AWSKMS, error)

NewAWS returns a new AWSKMS used for encrypting/decrypting keys with a master key.

func (*AWSKMS) DecryptKey

func (m *AWSKMS) DecryptKey(ctx context.Context, keyBytes []byte) ([]byte, error)

DecryptKey decrypts an encrypted byte slice and returns the unencrypted key. The preferred region provided in the config is tried first, if this fails the remaining regions are tried.

func (*AWSKMS) EncryptKey

func (m *AWSKMS) EncryptKey(ctx context.Context, keyBytes []byte) ([]byte, error)

EncryptKey encrypts a byte slice in all supported regions and returns an envelope ready to store in metastore.

type AWSKMSClient

type AWSKMSClient struct {
	KMS    KMS
	Region string
	ARN    string
}

AWSKMSClient contains a KMS client and region information used for encrypting a key in KMS.

type KMS

type KMS interface {
	EncryptWithContext(aws.Context, *kms.EncryptInput, ...request.Option) (*kms.EncryptOutput, error)
	GenerateDataKeyWithContext(aws.Context, *kms.GenerateDataKeyInput, ...request.Option) (*kms.GenerateDataKeyOutput, error)
	DecryptWithContext(ctx aws.Context, input *kms.DecryptInput, opts ...request.Option) (*kms.DecryptOutput, error)
}

KMS is implemented by the client in the kms package from the AWS SDK. We only use a subset of methods defined below.