Documentation
¶
Index ¶
- Constants
- Variables
- func KeyPathNotAllowed(path string, operation Operation) error
- func NewError(operation Operation, msg string, err error) error
- func RegisterCekProvider(name string, provider ColumnEncryptionKeyProvider) error
- type CekProvider
- type ColumnEncryptionKeyProvider
- type ColumnEncryptionKeyProviderMap
- type Error
- type Operation
Constants ¶
View Source
const ( CertificateStoreKeyProvider = "MSSQL_CERTIFICATE_STORE" CspKeyProvider = "MSSQL_CSP_PROVIDER" CngKeyProvider = "MSSQL_CNG_STORE" AzureKeyVaultKeyProvider = "AZURE_KEY_VAULT" JavaKeyProvider = "MSSQL_JAVA_KEYSTORE" KeyEncryptionAlgorithm = "RSA_OAEP" )
Variables ¶
View Source
var ColumnEncryptionKeyLifetime time.Duration = 2 * time.Hour
ColumnEncryptionKeyLifetime is the default lifetime of decrypted Column Encryption Keys in the global cache. The default is 2 hours
Functions ¶
func KeyPathNotAllowed ¶ added in v1.7.0
func RegisterCekProvider ¶
func RegisterCekProvider(name string, provider ColumnEncryptionKeyProvider) error
RegisterCekProvider adds the named provider to the global provider list
Types ¶
type CekProvider ¶
type CekProvider struct {
Provider ColumnEncryptionKeyProvider
// contains filtered or unexported fields
}
func NewCekProvider ¶
func NewCekProvider(provider ColumnEncryptionKeyProvider) *CekProvider
func (*CekProvider) GetDecryptedKey ¶
type ColumnEncryptionKeyProvider ¶
type ColumnEncryptionKeyProvider interface {
// DecryptColumnEncryptionKey decrypts the specified encrypted value of a column encryption key.
// The encrypted value is expected to be encrypted using the column master key with the specified key path and using the specified algorithm.
DecryptColumnEncryptionKey(ctx context.Context, masterKeyPath string, encryptionAlgorithm string, encryptedCek []byte) ([]byte, error)
// EncryptColumnEncryptionKey encrypts a column encryption key using the column master key with the specified key path and using the specified algorithm.
EncryptColumnEncryptionKey(ctx context.Context, masterKeyPath string, encryptionAlgorithm string, cek []byte) ([]byte, error)
// SignColumnMasterKeyMetadata digitally signs the column master key metadata with the column master key
// referenced by the masterKeyPath parameter. The input values used to generate the signature should be the
// specified values of the masterKeyPath and allowEnclaveComputations parameters. May return an empty slice if not supported.
SignColumnMasterKeyMetadata(ctx context.Context, masterKeyPath string, allowEnclaveComputations bool) ([]byte, error)
// VerifyColumnMasterKeyMetadata verifies the specified signature is valid for the column master key
// with the specified key path and the specified enclave behavior. Return nil if not supported.
VerifyColumnMasterKeyMetadata(ctx context.Context, masterKeyPath string, allowEnclaveComputations bool) (*bool, error)
// KeyLifetime is an optional Duration. Keys fetched by this provider will be discarded after their lifetime expires.
// If it returns nil, the keys will expire based on the value of ColumnEncryptionKeyLifetime.
// If it returns zero, the keys will not be cached.
KeyLifetime() *time.Duration
}
ColumnEncryptionKeyProvider is the interface for decrypting and encrypting column encryption keys. It is similar to .Net https://learn.microsoft.com/dotnet/api/microsoft.data.sqlclient.sqlcolumnencryptionkeystoreprovider.
type ColumnEncryptionKeyProviderMap ¶
type ColumnEncryptionKeyProviderMap map[string]*CekProvider
no synchronization on this map. Providers register during init.
func GetGlobalCekProviders ¶
func GetGlobalCekProviders() (providers ColumnEncryptionKeyProviderMap)
GetGlobalCekProviders enumerates all globally registered providers
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.