gcpckms

package module

v2.0.12 Latest Latest Go to latest Published: Apr 10, 2024 License: MPL-2.0 Imports: 10 Imported by: 7

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/hashicorp/go-kms-wrapping

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func WithCredentials(with string) wrapping.Option
func WithCryptoKey(with string) wrapping.Option
func WithKeyNotRequired(with bool) wrapping.Option
func WithKeyRing(with string) wrapping.Option
func WithProject(with string) wrapping.Option
func WithRegion(with string) wrapping.Option
func WithUserAgent(with string) wrapping.Option
type OptionFunc
type Wrapper
- func NewWrapper() *Wrapper

Constants ¶

View Source

const (
	// General GCP values, follows TF naming conventions
	EnvGcpCkmsWrapperCredsPath = "GOOGLE_CREDENTIALS"
	EnvGcpCkmsWrapperProject   = "GOOGLE_PROJECT"
	EnvGcpCkmsWrapperLocation  = "GOOGLE_REGION"

	// CKMS-specific values
	EnvGcpCkmsWrapperKeyRing     = "GCPCKMS_WRAPPER_KEY_RING"
	EnvVaultGcpCkmsSealKeyRing   = "VAULT_GCPCKMS_SEAL_KEY_RING"
	EnvGcpCkmsWrapperCryptoKey   = "GCPCKMS_WRAPPER_CRYPTO_KEY"
	EnvVaultGcpCkmsSealCryptoKey = "VAULT_GCPCKMS_SEAL_CRYPTO_KEY"
)

View Source

const (
	// GcpCkmsEncrypt is used to directly encrypt the data with KMS
	GcpCkmsEncrypt = iota
	// GcpCkmsEnvelopeAesGcmEncrypt is when a data encryption key is generatated and
	// the data is encrypted with AES-GCM and the key is encrypted with KMS
	GcpCkmsEnvelopeAesGcmEncrypt
)

Variables ¶

This section is empty.

Functions ¶

func WithCredentials ¶

func WithCredentials(with string) wrapping.Option

WithCredentials provides a way to specify credentials

func WithCryptoKey ¶

func WithCryptoKey(with string) wrapping.Option

WithCryptoKey provides a way to chose the crypto key

func WithKeyNotRequired ¶

func WithKeyNotRequired(with bool) wrapping.Option

WithKeyNotRequired provides a way to not require a key at config time

func WithKeyRing ¶

func WithKeyRing(with string) wrapping.Option

WithKeyRing provides a way to chose the key ring

func WithProject ¶

func WithProject(with string) wrapping.Option

WithProject provides a way to chose the project

func WithRegion ¶

func WithRegion(with string) wrapping.Option

WithRegion provides a way to chose the region

func WithUserAgent ¶

func WithUserAgent(with string) wrapping.Option

WithUserAgent provides a way to chose the user agent

Types ¶

type OptionFunc ¶

type OptionFunc func(*options) error

OptionFunc holds a function with local options

type Wrapper ¶

type Wrapper struct {
	// contains filtered or unexported fields
}

func NewWrapper ¶

func NewWrapper() *Wrapper

func (*Wrapper) Client ¶

func (s *Wrapper) Client() *cloudkms.KeyManagementClient

Client returns the GCP KMS client used by the wrapper.

func (*Wrapper) Decrypt ¶

func (s *Wrapper) Decrypt(ctx context.Context, in *wrapping.BlobInfo, opt ...wrapping.Option) ([]byte, error)

Decrypt is used to decrypt the ciphertext.

func (*Wrapper) Encrypt ¶

func (s *Wrapper) Encrypt(ctx context.Context, plaintext []byte, opt ...wrapping.Option) (*wrapping.BlobInfo, error)

Encrypt is used to encrypt the master key using the the AWS CMK. This returns the ciphertext, and/or any errors from this call. This should be called after s.client has been instantiated. After a successful call, the wrapper's KeyId will be set to the key's id + it's version (example of the version appended at the very end of the key's id projects/<proj-id>/locations/<location-id>/keyRings/<keyring-id>/cryptoKeys/<key-id>/cryptoKeyVersions/<key-version-id>). Note: only the key's id (without it's version) is used when making GCP Encrypt/Decrypt calls.

func (*Wrapper) KeyId ¶

func (s *Wrapper) KeyId(_ context.Context) (string, error)

KeyId returns the last known CryptoKeyVersion which is determined when the wrappers is configured (Unless the WithKeyNotRequired(true) option is provided during configuration) or after successful encryption operations.

func (*Wrapper) KeyRingResourceName ¶

func (s *Wrapper) KeyRingResourceName() string

KeyRingResourceName returns the relative resource name of the configured key ring.

func (*Wrapper) LocationName ¶ added in v2.0.2

func (s *Wrapper) LocationName() string

LocationName returns the relative location name.

func (*Wrapper) SetConfig ¶

func (s *Wrapper) SetConfig(_ context.Context, opt ...wrapping.Option) (*wrapping.WrapperConfig, error)

SetConfig sets the fields on the Wrapper object based on values from the config parameter. Environment variables take precedence over values provided in the config struct.

Order of precedence for GCP credentials file: * GOOGLE_CREDENTIALS environment variable * `credentials` value from Value configuration file * GOOGLE_APPLICATION_CREDENTIALS (https://developers.google.com/identity/protocols/application-default-credentials)

Unless the WithKeyNotRequired(true) option is provided, as a result of successful configuration, the wrapper's KeyId will be set to the primary CryptoKeyVersion.

func (*Wrapper) Type ¶

func (s *Wrapper) Type(_ context.Context) (wrapping.WrapperType, error)

Type returns the type for this particular wrapper implementation

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL