Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct { // Endpoints contains a list of KMS server // HTTP endpoints. Endpoints []string // DefaultKeyID is the key ID used when // no explicit key ID is specified for // a cryptographic operation. DefaultKeyID string // Certificate is the client TLS certificate // to authenticate to KMS via mTLS. Certificate tls.Certificate // RootCAs is a set of root CA certificates // to verify the KMS server TLS certificate. RootCAs *x509.CertPool }
Config contains various KMS-related configuration parameters - like KMS endpoints or authentication credentials.
type Context ¶
Context is a set of key-value pairs that are associated with a generate data encryption key (DEK).
A KMS implementation may bind the context to the generated DEK such that the same context must be provided when decrypting an encrypted DEK.
func (Context) MarshalText ¶
MarshalText sorts the context keys and writes the sorted key-value pairs as canonical JSON object. The sort order is based on the un-escaped keys. It never returns an error.
type DEK ¶
DEK is a data encryption key. It consists of a plaintext-ciphertext pair and the ID of the key used to generate the ciphertext.
The plaintext can be used for cryptographic operations - like encrypting some data. The ciphertext is the encrypted version of the plaintext data and can be stored on untrusted storage.
func (DEK) MarshalText ¶
MarshalText encodes the DEK's key ID and ciphertext as JSON.
func (*DEK) UnmarshalText ¶
UnmarshalText tries to decode text as JSON representation of a DEK and sets DEK's key ID and ciphertext to the decoded values.
It sets DEK's plaintext to nil.
type KMS ¶
type KMS interface { // Stat returns the current KMS status. Stat() (Status, error) // CreateKey creates a new key at the KMS with the given key ID. CreateKey(keyID string) error // GenerateKey generates a new data encryption key using the // key referenced by the key ID. // // The KMS may use a default key if the key ID is empty. // GenerateKey returns an error if the referenced key does // not exist. // // The context is associated and tied to the generated DEK. // The same context must be provided when the generated key // should be decrypted. Therefore, it is the callers // responsibility to remember the corresponding context for // a particular DEK. The context may be nil. GenerateKey(keyID string, context Context) (DEK, error) // DecryptKey decrypts the ciphertext with the key referenced // by the key ID. The context must match the context value // used to generate the ciphertext. DecryptKey(keyID string, ciphertext []byte, context Context) ([]byte, error) }
KMS is the generic interface that abstracts over different KMS implementations.
func NewWithConfig ¶
NewWithConfig returns a new KMS using the given configuration.
type Status ¶
type Status struct { Name string // The name of the KMS Endpoints []string // A set of the KMS endpoints // DefaultKey is the key used when no explicit key ID // is specified. It is empty if the KMS does not support // a default key. DefaultKey string }
Status describes the current state of a KMS.