kms

Documentation

Overview

Package kms implements a Keycrypt using AWS's KMS service and S3. Secrets are stored using the AWS-provided s3crypto package, which uses a KMS data key to perform client-side encryption and decryption of keys.

For each key stored, s3crypto retrieves a data encryption key which is derived from a master key stored securely in KMS's HSMs. KMS returns both an encrypted and a plaintext version of the data encryption key. The key is subsequently used to encrypt the keybundle and is then thrown away. The encrypted version of the key is stored together with the bundle.

Access to Amazon's KMS is controlled by IAM security policies.

When a bundle is retrieved, s3crypto asks KMS to decrypt the key that is stored with the bundle, which in turn is used to decrypt the bundle contents.

Index

• Variables
• type Crypt
  • func New(sess *session.Session, id string) *Crypt
  • func (c *Crypt) Lookup(name string) keycrypt.Secret

Variables

var CredentialsChainVerboseErrors = false

CredentialsChainVerboseErrors is used to set aws.Config.CredentialsChainVerboseErrors when creating a kms session.

var DefaultRegion = "us-west-2"

DefaultRegion is used to set the the AWS region for looking up KMS keys.

Types

type Crypt

type Crypt struct {
	// contains filtered or unexported fields
}

Crypt implements a Keycrypt using Amazon's KMS and S3 services.

func New

func New(sess *session.Session, id string) *Crypt

Create a new Keycrypt instance which uses Amazon's KMS to store key material securely.

func (*Crypt) Lookup

func (c *Crypt) Lookup(name string) keycrypt.Secret