Documentation
¶
Index ¶
Constants ¶
View Source
const ( MetadataKeyMethod string = "method" MetadataKeyIv string = "iv" MetadataKeyAesGcmTag string = "aes_gcm_tag" MetadataKeyKmsVendor string = "kms_vendor" MetadataKeyKmsCiphertextKey string = "kms_ciphertext_key" MetadataMethodAes256Gcm string = "aes256-gcm" )
must keep it same with the constants in TiKV implementation
View Source
const ( GcmIv12 = 12 CtrIv16 = 16 )
View Source
const ( StorageVendorNameAWS = "aws" StorageVendorNameAzure = "azure" StorageVendorNameGCP = "gcp" )
View Source
const AesGcmKeyLen = 32 // AES-256 key length
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Backend ¶
type Backend interface {
// Decrypt takes an EncryptedContent and returns the decrypted plaintext as a byte slice or an error.
Decrypt(ctx context.Context, ciphertext *encryptionpb.EncryptedContent) ([]byte, error)
Close()
}
Backend is an interface that defines the methods required for an encryption backend.
func CreateBackend ¶
func CreateBackend(config *encryptionpb.MasterKey) (Backend, error)
type CachedKeys ¶
type CachedKeys struct {
// contains filtered or unexported fields
}
type FileBackend ¶
type FileBackend struct {
// contains filtered or unexported fields
}
FileBackend is ported from TiKV FileBackend
func (*FileBackend) Close ¶
func (f *FileBackend) Close()
func (*FileBackend) Decrypt ¶
func (f *FileBackend) Decrypt(ctx context.Context, content *encryptionpb.EncryptedContent) ([]byte, error)
func (*FileBackend) Encrypt ¶
func (f *FileBackend) Encrypt(ctx context.Context, plaintext []byte) (*encryptionpb.EncryptedContent, error)
type IV ¶
func NewIVFromSlice ¶
type KmsBackend ¶
type KmsBackend struct {
// contains filtered or unexported fields
}
func NewKmsBackend ¶
func NewKmsBackend(kmsProvider kms.Provider) (*KmsBackend, error)
func (*KmsBackend) Close ¶
func (k *KmsBackend) Close()
func (*KmsBackend) Decrypt ¶
func (k *KmsBackend) Decrypt(ctx context.Context, content *encryptionpb.EncryptedContent) ([]byte, error)
type MemAesGcmBackend ¶
type MemAesGcmBackend struct {
// contains filtered or unexported fields
}
func NewMemAesGcmBackend ¶
func NewMemAesGcmBackend(key []byte) (*MemAesGcmBackend, error)
func (*MemAesGcmBackend) DecryptContent ¶
func (m *MemAesGcmBackend) DecryptContent(_ctx context.Context, content *encryptionpb.EncryptedContent) ( []byte, error)
func (*MemAesGcmBackend) EncryptContent ¶
func (m *MemAesGcmBackend) EncryptContent(_ctx context.Context, plaintext []byte, iv IV) ( *encryptionpb.EncryptedContent, error)
type MultiMasterKeyBackend ¶
type MultiMasterKeyBackend struct {
// contains filtered or unexported fields
}
MultiMasterKeyBackend can contain multiple master shard backends. If any one of those backends successfully decrypts the data, the data will be returned. The main purpose of this backend is to provide a high availability for master key in the future. Right now only one master key backend is used to encrypt/decrypt data.
func NewMultiMasterKeyBackend ¶
func NewMultiMasterKeyBackend(masterKeysProto []*encryptionpb.MasterKey) (*MultiMasterKeyBackend, error)
func (*MultiMasterKeyBackend) Close ¶
func (m *MultiMasterKeyBackend) Close()
func (*MultiMasterKeyBackend) Decrypt ¶
func (m *MultiMasterKeyBackend) Decrypt(ctx context.Context, encryptedContent *encryptionpb.EncryptedContent) ( []byte, error)
Source Files
Click to show internal directories.
Click to hide internal directories.