Versions in this module Expand all Collapse all v0 v0.0.1 Nov 23, 2020 Changes in this version + const EnvAutoEncryptionLegacy + const EnvKMSAutoEncryption + const EnvKMSKesCAPath + const EnvKMSKesCertFile + const EnvKMSKesEndpoint + const EnvKMSKesKeyFile + const EnvKMSKesKeyName + const EnvKMSMasterKey + const EnvKMSMasterKeyLegacy + const EnvKMSVaultAppRoleID + const EnvKMSVaultAppSecretID + const EnvKMSVaultAuthType + const EnvKMSVaultCAPath + const EnvKMSVaultEndpoint + const EnvKMSVaultKeyName + const EnvKMSVaultKeyVersion + const EnvKMSVaultNamespace + const EnvLegacyVaultAppRoleID + const EnvLegacyVaultAppSecretID + const EnvLegacyVaultAuthType + const EnvLegacyVaultCAPath + const EnvLegacyVaultEndpoint + const EnvLegacyVaultKeyName + const EnvLegacyVaultKeyVersion + const EnvLegacyVaultNamespace + const InsecureSealAlgorithm + const KMSKesCAPath + const KMSKesCertFile + const KMSKesEndpoint + const KMSKesKeyFile + const KMSKesKeyName + const KMSVaultAppRoleID + const KMSVaultAppRoleSecret + const KMSVaultAuthType + const KMSVaultCAPath + const KMSVaultEndpoint + const KMSVaultKeyName + const KMSVaultKeyVersion + const KMSVaultNamespace + const S3KMSKeyID + const S3KMSSealedKey + const S3SealedKey + const SSEAlgorithmAES256 + const SSEAlgorithmKMS + const SSECAlgorithm + const SSECKey + const SSECKeyMD5 + const SSECSealedKey + const SSECopyAlgorithm + const SSECopyKey + const SSECopyKeyMD5 + const SSEHeader + const SSEIV + const SSEKmsContext + const SSEKmsID + const SSEMultipart + const SSESealAlgorithm + const SealAlgorithm + var DefaultKesKVS = config.KVS + var DefaultVaultKVS = config.KVS + var ErrCustomerKeyMD5Mismatch = Errorf("The provided SSE-C key MD5 does not match the computed MD5 of the SSE-C key") + var ErrIncompatibleEncryptionMethod = Errorf("Server side encryption specified with both SSE-C and SSE-S3 headers") + var ErrInvalidCustomerAlgorithm = Errorf("The SSE-C algorithm is not supported") + var ErrInvalidCustomerKey = Errorf("The SSE-C client key is invalid") + var ErrInvalidEncryptionMethod = Errorf("The encryption method is not supported") + var ErrKESKeyExists = NewKESError(http.StatusBadRequest, "key does already exist") + var ErrKMSAuthLogin = Errorf("Vault service did not return auth info") + var ErrMissingCustomerKey = Errorf("The SSE-C request is missing the customer key") + var ErrMissingCustomerKeyMD5 = Errorf("The SSE-C request is missing the customer key MD5") + var ErrSecretKeyMismatch = Errorf("The secret key does not match the secret key used during upload") + var HelpKes = config.HelpKVS + var HelpVault = config.HelpKVS + var S3 = s3 + var S3KMS = s3KMS + var SSEC = ssec + var SSECopy = ssecCopy + func CreateMultipartMetadata(metadata map[string]string) map[string]string + func DecryptSinglePart(w io.Writer, offset, length int64, key ObjectKey) io.WriteCloser + func EnabledKes(kvs config.KVS) bool + func EnabledVault(kvs config.KVS) bool + func EncryptMultiPart(r io.Reader, partID int, key ObjectKey) io.Reader + func EncryptSinglePart(r io.Reader, key ObjectKey) io.Reader + func Errorf(format string, a ...interface{}) error + func GenerateIV(random io.Reader) (iv [32]byte) + func IsETagSealed(etag []byte) bool + func IsEncrypted(metadata map[string]string) bool + func IsMultiPart(metadata map[string]string) bool + func IsRequested(h http.Header) bool + func IsSourceEncrypted(metadata map[string]string) bool + func LinearJitterBackoff(min, max time.Duration, attemptNum int) time.Duration + func NewKESError(code int, text string) error + func RemoveInternalEntries(metadata map[string]string) + func RemoveSSEHeaders(metadata map[string]string) + func RemoveSensitiveEntries(metadata map[string]string) + func RemoveSensitiveHeaders(h http.Header) + func SetKMSConfig(s config.Config, cfg KMSConfig) + type Context map[string]string + func (c Context) AppendTo(dst []byte) (output []byte) + func (c Context) WriteTo(w io.Writer) (n int64, err error) + type Error struct + func (e Error) Error() string + func (e Error) Unwrap() error + type KMS interface + CreateKey func(keyID string) error + DefaultKeyID func() string + GenerateKey func(keyID string, context Context) (key [32]byte, sealedKey []byte, err error) + Info func() KMSInfo + UnsealKey func(keyID string, sealedKey []byte, context Context) (key [32]byte, err error) + func NewKMS(cfg KMSConfig) (kms KMS, err error) + func NewKes(cfg KesConfig) (KMS, error) + func NewMasterKey(keyID string, key [32]byte) KMS + func NewVault(config VaultConfig) (KMS, error) + func ParseMasterKey(envArg string) (KMS, error) + type KMSConfig struct + AutoEncryption bool + Kes KesConfig + Vault VaultConfig + func LookupConfig(c config.Config, defaultRootCAsDir string, transport *http.Transport) (KMSConfig, error) + type KMSInfo struct + AuthType string + Endpoints []string + Name string + type KesConfig struct + CAPath string + CertFile string + DefaultKeyID string + Enabled bool + Endpoint []string + KeyFile string + Transport *http.Transport + func LookupKesConfig(kvs config.KVS) (KesConfig, error) + func (k KesConfig) Verify() (err error) + type ObjectKey [32]byte + func GenerateKey(extKey [32]byte, random io.Reader) (key ObjectKey) + func (key *ObjectKey) Unseal(extKey [32]byte, sealedKey SealedKey, domain, bucket, object string) error + func (key ObjectKey) DerivePartKey(id uint32) (partKey [32]byte) + func (key ObjectKey) Seal(extKey, iv [32]byte, domain, bucket, object string) SealedKey + func (key ObjectKey) SealETag(etag []byte) []byte + func (key ObjectKey) UnsealETag(etag []byte) ([]byte, error) + type SealedKey struct + Algorithm string + IV [32]byte + Key [64]byte + type VaultAppRole struct + ID string + Secret string + type VaultAuth struct + AppRole VaultAppRole + Type string + type VaultConfig struct + Auth VaultAuth + CAPath string + Enabled bool + Endpoint string + Key VaultKey + Namespace string + func LookupVaultConfig(kvs config.KVS) (VaultConfig, error) + func (v *VaultConfig) Verify() (err error) + type VaultKey struct + Name string + Version int