Documentation
¶
Index ¶
- Variables
- type Provider
- func (p *Provider) DecryptColumnEncryptionKey(ctx context.Context, masterKeyPath string, encryptionAlgorithm string, ...) (decryptedKey []byte, err error)
- func (p *Provider) EncryptColumnEncryptionKey(ctx context.Context, masterKeyPath string, encryptionAlgorithm string, ...) (buf []byte, err error)
- func (p *Provider) KeyLifetime() *time.Duration
- func (p Provider) SetCertificateCredential(endpoint string, credential azcore.TokenCredential)
- func (p *Provider) SignColumnMasterKeyMetadata(ctx context.Context, masterKeyPath string, allowEnclaveComputations bool) ([]byte, error)
- func (p *Provider) VerifyColumnMasterKeyMetadata(ctx context.Context, masterKeyPath string, allowEnclaveComputations bool) (*bool, error)
Constants ¶
This section is empty.
Variables ¶
var KeyProvider = Provider{AllowedLocations: make([]string, 0), /* contains filtered or unexported fields */}
Functions ¶
This section is empty.
Types ¶
type Provider ¶
type Provider struct {
// AllowedLocations constrains which locations the provider will use to find certificates. If empty, all locations are allowed.
// When presented with a key store path whose endpoint not in the allowed list, the data will be returned still encrypted.
AllowedLocations []string
// contains filtered or unexported fields
}
Provider implements a column encryption key provider backed by Azure Key Vault
func (*Provider) DecryptColumnEncryptionKey ¶
func (p *Provider) DecryptColumnEncryptionKey(ctx context.Context, masterKeyPath string, encryptionAlgorithm string, encryptedCek []byte) (decryptedKey []byte, err error)
DecryptColumnEncryptionKey decrypts the specified encrypted value of a column encryption key. The encrypted value is expected to be encrypted using the column master key with the specified key path and using the specified algorithm.
func (*Provider) EncryptColumnEncryptionKey ¶
func (p *Provider) EncryptColumnEncryptionKey(ctx context.Context, masterKeyPath string, encryptionAlgorithm string, cek []byte) (buf []byte, err error)
EncryptColumnEncryptionKey encrypts a column encryption key using the column master key with the specified key path and using the specified algorithm.
func (*Provider) KeyLifetime ¶
KeyLifetime is an optional Duration. Keys fetched by this provider will be discarded after their lifetime expires. If it returns nil, the keys will expire based on the value of ColumnEncryptionKeyLifetime. If it returns zero, the keys will not be cached.
func (Provider) SetCertificateCredential ¶
func (p Provider) SetCertificateCredential(endpoint string, credential azcore.TokenCredential)
SetCertificateCredential stores the AzureCredential associated with the given AKV endpoint. If endpoint is empty the given credential applies to all endpoints that have not been explicitly assigned a value. If SetCertificateCredential is never called, the provider uses azidentity.DefaultAzureCredential.
func (*Provider) SignColumnMasterKeyMetadata ¶
func (p *Provider) SignColumnMasterKeyMetadata(ctx context.Context, masterKeyPath string, allowEnclaveComputations bool) ([]byte, error)
SignColumnMasterKeyMetadata digitally signs the column master key metadata with the column master key referenced by the masterKeyPath parameter. The input values used to generate the signature should be the specified values of the masterKeyPath and allowEnclaveComputations parameters. May return an empty slice if not supported.
func (*Provider) VerifyColumnMasterKeyMetadata ¶
func (p *Provider) VerifyColumnMasterKeyMetadata(ctx context.Context, masterKeyPath string, allowEnclaveComputations bool) (*bool, error)
VerifyColumnMasterKeyMetadata verifies the specified signature is valid for the column master key with the specified key path and the specified enclave behavior. Return nil if not supported.
Source Files