Documentation
¶
Index ¶
- Constants
- Variables
- type InvalidCertificatePathError
- type Provider
- func (p *Provider) DecryptColumnEncryptionKey(ctx context.Context, masterKeyPath string, encryptionAlgorithm string, ...) (decryptedKey []byte, err error)
- func (p *Provider) EncryptColumnEncryptionKey(ctx context.Context, masterKeyPath string, encryptionAlgorithm string, ...) (buf []byte, err error)
- func (p *Provider) KeyLifetime() *time.Duration
- func (p Provider) SetCertificatePassword(location string, password string)
- func (p *Provider) SignColumnMasterKeyMetadata(ctx context.Context, masterKeyPath string, allowEnclaveComputations bool) ([]byte, error)
- func (p *Provider) VerifyColumnMasterKeyMetadata(ctx context.Context, masterKeyPath string, allowEnclaveComputations bool) (*bool, error)
Constants ¶
const (
PfxKeyProviderName = "pfx"
)
Variables ¶
var PfxKeyProvider = Provider{AllowedLocations: make([]string, 0), /* contains filtered or unexported fields */}
Functions ¶
This section is empty.
Types ¶
type InvalidCertificatePathError ¶
type InvalidCertificatePathError struct {
// contains filtered or unexported fields
}
InvalidCertificatePathError indicates the provided path could not be used to load a certificate
func (*InvalidCertificatePathError) Error ¶
func (i *InvalidCertificatePathError) Error() string
func (*InvalidCertificatePathError) Unwrap ¶
func (i *InvalidCertificatePathError) Unwrap() error
type Provider ¶
type Provider struct {
// AllowedLocations constrains which locations the provider will use to find certificates. If empty, all locations are allowed.
// When presented with a key store path not in the allowed list, the data will be returned still encrypted.
AllowedLocations []string
// contains filtered or unexported fields
}
Provider uses local certificates to decrypt CEKs It supports both 'MSSQL_CERTIFICATE_STORE' and 'pfx' key stores. MSSQL_CERTIFICATE_STORE key paths are of the form `storename/storepath/thumbprint` and only supported on Windows clients. pfx key paths are absolute file system paths that are operating system dependent.
func (*Provider) DecryptColumnEncryptionKey ¶
func (p *Provider) DecryptColumnEncryptionKey(ctx context.Context, masterKeyPath string, encryptionAlgorithm string, encryptedCek []byte) (decryptedKey []byte, err error)
DecryptColumnEncryptionKey decrypts the specified encrypted value of a column encryption key. The encrypted value is expected to be encrypted using the column master key with the specified key path and using the specified algorithm.
func (*Provider) EncryptColumnEncryptionKey ¶
func (p *Provider) EncryptColumnEncryptionKey(ctx context.Context, masterKeyPath string, encryptionAlgorithm string, cek []byte) (buf []byte, err error)
EncryptColumnEncryptionKey encrypts a column encryption key using the column master key with the specified key path and using the specified algorithm.
func (*Provider) KeyLifetime ¶
KeyLifetime is an optional Duration. Keys fetched by this provider will be discarded after their lifetime expires. If it returns nil, the keys will expire based on the value of ColumnEncryptionKeyLifetime. If it returns zero, the keys will not be cached.
func (Provider) SetCertificatePassword ¶
SetCertificatePassword stores the password associated with the certificate at the given location. If location is empty the given password applies to all certificates that have not been explicitly assigned a value.
func (*Provider) SignColumnMasterKeyMetadata ¶
func (p *Provider) SignColumnMasterKeyMetadata(ctx context.Context, masterKeyPath string, allowEnclaveComputations bool) ([]byte, error)
SignColumnMasterKeyMetadata digitally signs the column master key metadata with the column master key referenced by the masterKeyPath parameter. The input values used to generate the signature should be the specified values of the masterKeyPath and allowEnclaveComputations parameters. May return an empty slice if not supported.
func (*Provider) VerifyColumnMasterKeyMetadata ¶
func (p *Provider) VerifyColumnMasterKeyMetadata(ctx context.Context, masterKeyPath string, allowEnclaveComputations bool) (*bool, error)
VerifyColumnMasterKeyMetadata verifies the specified signature is valid for the column master key with the specified key path and the specified enclave behavior. Return nil if not supported.
Source Files