Documentation
¶
Index ¶
- func Open(aead cipher.AEAD, ciphertext []byte) ([]byte, error)
- func Seal(aead cipher.AEAD, plaintext []byte) ([]byte, error)
- type Endec
- type EndecWithKey
- type GetParameterAPIClient
- type GetSecretValueAPIClient
- type ParameterStoreEndec
- type ParameterStoreEndecOptions
- type SecretsManagerEndec
- type SecretsManagerEndecOptions
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Endec ¶
type Endec interface {
// Encode encrypts the given plaintext.
Encode(ctx context.Context, plaintext []byte) (ciphertext []byte, err error)
// Decode decrypts the given ciphertext.
Decode(ctx context.Context, ciphertext []byte) (plaintext []byte, err error)
}
Endec provides methods for encrypting and decrypting data that fit in memory.
Endec instances have their own ways to retrieve the key as opposed to EndecWithKey. They can be used to encrypt/decrypt binary (or string) tokens to make them opaque.
func NewAESWithKey ¶
NewAESWithKey returns a new Endec using the given AES key.
The key must be either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256.
func NewChaCha20Poly1305WithKey ¶
NewChaCha20Poly1305WithKey returns a ChaCha20-Poly1305 Endec that uses the given 256-bit key.
type EndecWithKey ¶
type EndecWithKey interface {
// EncodeWithKey encrypts the plaintext with the given key.
EncodeWithKey(ctx context.Context, key, plaintext []byte) (ciphertext []byte, err error)
// DecodeWithKey decrypts the ciphertext with the given key.
DecodeWithKey(ctx context.Context, key, ciphertext []byte) (plaintext []byte, err error)
}
EndecWithKey provides methods for encrypting and decrypting data that fit in memory.
EndecWithKey instances must be given a key at encryption/decryption time as opposed to Endec.
func NewAES ¶
func NewAES() EndecWithKey
NewAES returns a new EndecWithKey using AES key given at encryption/decryption time.
func NewChaCha20Poly1305 ¶
func NewChaCha20Poly1305() EndecWithKey
NewChaCha20Poly1305 returns a new ChaCha20-Poly1305 EndecWithKey using 256-bit key given at encryption/decryption time.
type GetParameterAPIClient ¶
type GetParameterAPIClient interface {
GetParameter(context.Context, *ssm.GetParameterInput, ...func(*ssm.Options)) (*ssm.GetParameterOutput, error)
}
GetParameterAPIClient abstracts the AWS Systems Manager API GetParameter which is used by ParameterStoreEndec.
type GetSecretValueAPIClient ¶
type GetSecretValueAPIClient interface {
GetSecretValue(context.Context, *secretsmanager.GetSecretValueInput, ...func(*secretsmanager.Options)) (*secretsmanager.GetSecretValueOutput, error)
}
GetSecretValueAPIClient abstracts the Secrets Manager API GetSecretValue which is used by SecretsManagerEndec.
type ParameterStoreEndec ¶
type ParameterStoreEndec interface {
// GetValueBinary returns the parameter value from AWS Systems Manager as binary.
GetValueBinary(ctx context.Context, version int64) ([]byte, int64, error)
Endec
}
ParameterStoreEndec is an Endec with key from AWS Systems Manager's Parameter Store.
To make sure the same key that was used during encryption will also be used for decryption, the key's version will be affixed (in plaintext) to the ciphertext in TLV-encoded format.
func NewParameterStoreEndec ¶
func NewParameterStoreEndec(client GetParameterAPIClient, name string, optFns ...func(*ParameterStoreEndecOptions)) ParameterStoreEndec
NewParameterStoreEndec returns a new SecretsManagerEndec.
See ParameterStoreEndecOptions for customisation options.
type ParameterStoreEndecOptions ¶
type ParameterStoreEndecOptions struct {
// Endec controls the encryption/decryption algorithm.
//
// By default, [NewChaCha20Poly1305] is used which requires a 256-bit key from AWS Secrets Manager.
Endec EndecWithKey
// WithDecryption overrides [ssm.GetParameterInput.WithDecryption].
WithDecryption *bool
// Label suffixes the label [ssm.GetParameterInput.Name].
//
// If version is available, the label will not be suffixed since Parameter Store (unlike Secrets Manager) only
// allows specifying one or the other.
Label *string
// ValueDecoder can be used to control how the parameter value is decoded into a key.
//
// If not given, the default function will cycle through this list of decoders:
// 1. [base64.RawStdEncoding.DecodeString]
// 2. [hex.DecodeString]
// 3. `[]byte(string)`
ValueDecoder func(string) ([]byte, error)
}
ParameterStoreEndecOptions customises NewParameterStoreEndec.
type SecretsManagerEndec ¶
type SecretsManagerEndec interface {
// GetSecretBinary returns the secret from AWS Secrets Manager as binary.
GetSecretBinary(ctx context.Context, versionId *string) ([]byte, *string, error)
Endec
}
SecretsManagerEndec is an Endec with key from AWS Secrets Manager.
To make sure the same key that was used during encryption will also be used for decryption, the key's version id will be affixed (in plaintext) to the ciphertext in TLV-encoded format.
func NewSecretsManagerEndec ¶
func NewSecretsManagerEndec(client GetSecretValueAPIClient, secretId string, optFns ...func(*SecretsManagerEndecOptions)) SecretsManagerEndec
NewSecretsManagerEndec returns a new SecretsManagerEndec.
See SecretsManagerEndecOptions for customisation options.
type SecretsManagerEndecOptions ¶
type SecretsManagerEndecOptions struct {
// Endec controls the encryption/decryption algorithm.
//
// By default, [NewChaCha20Poly1305] is used which requires a 256-bit key from AWS Secrets Manager.
Endec EndecWithKey
// VersionStage overrides [secretsmanager.GetSecretValueInput.VersionStage].
VersionStage *string
// SecretStringDecoder can be used to control how the secret value is decoded into a key.
//
// By default, the [secretsmanager.GetSecretValueOutput.SecretBinary] is used as the secret key. If this is not
// available because the secret was provided as a string instead, this function controls how the
// [secretsmanager.GetSecretValueOutput.SecretString] is transformed into the secret key. If not given, the
// default function will cycle through this list of decoders:
// 1. [base64.RawStdEncoding.DecodeString]
// 2. [hex.DecodeString]
// 3. `[]byte(string)`
SecretStringDecoder func(string) ([]byte, error)
}
SecretsManagerEndecOptions customises NewSecretsManagerEndec.
Source Files