README
¶
Envelope
Envelope is a simple envelope encryption tool designed to help any project keep their secrets in version control cheaply and securely.
The premise is very simple; we use AWS KMS to encrypt keys that we store in a keyring file. Since everything in the keyring file is encrypted it is safe to commit to version control.
The keys in the keyring can be used to encrypt / decrypt your secrets using the envelope tool and these can be kept next to the keyring. All you will need to decrypt is sufficient IAM permissions, the keyring file and the secrets file(s).
Features:
- Multiple data keys with encryption contexts (allowing you to fine grain permissions with IAM policies)
- Recursive decryption of structured formats (YAML, JSON & TOML)
- Blob based encryption / decryption for unstructured formats
- Asymmetric encrypt / decrypt permissions using IAM policies on KMS encryption contexts (e.g. developers could encrypt production secrets but not decrypt)
- Fine grained permissions using IAM policies on encryption contexts
- Auditing of decryption key access using AWS CloudTrail w/ KMS
If you're using EC2 then you should give your instances an instance profile capable of decrypting with they KMS keys you're using for the contexts you're encrypting secrets with.
Similar projects
- AWS Systems Manager Parameters
- Stores and provides an API for configuration parameters with KMS support
- Supports versioning of parameters but not storage in version control
- SOPS
- Uses envelope encryption to encrypt YAML data
- Supports KMS & GPG
- Wants to encrypt entire file by default & sign that data (making it difficult to merge)
- credstash / unicreds
- Uses dynamodb to store data encrypted with KMS
- Supports versioning of parameters but not storage in version control
- No specific support for structured data so everything encrypted as blobs
Documentation
¶
Index ¶
- type Envelope
- func (s *Envelope) AddKey(alias string, masterKey string, context map[string]string) (string, error)
- func (s *Envelope) Decrypt(input io.Reader) ([]byte, error)
- func (s *Envelope) DecryptStructured(input io.Reader, format string) ([]byte, error)
- func (s *Envelope) Encrypt(alias string, input io.Reader) ([]byte, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Envelope ¶
type Envelope struct {
Keyring keyring.Keyring
Prefix string
StructuredErrorBehaviour func(error) (traverser.Op, error)
}
Envelope holds the configuration and keyring
func WithYamlKeyring ¶
WithYamlKeyring initializes Envelope with a yaml file based keyring
func (*Envelope) AddKey ¶
func (s *Envelope) AddKey(alias string, masterKey string, context map[string]string) (string, error)
AddKey will add the given key to the keyring with alias & context
func (*Envelope) Decrypt ¶
Decrypt will decrypt the input as a blob and return the decrypted value as a byte array
func (*Envelope) DecryptStructured ¶
DecryptStructured will parse the input as format and use the encryption prefix to automatically identify and decrypt encrypted values
Source Files
Directories