keys

package
v1.8.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 28, 2024 License: MPL-2.0 Imports: 22 Imported by: 0

Documentation

Overview

Package keys contains various encryption KeyHandler implementations.

Index

Constants

View Source
const (
	// TokenTypeKMS is KMS assisted encryption token.
	TokenTypeKMS = "sideroKMS"
	// TokenTypeTPM is TPM assisted encryption token.
	TokenTypeTPM = "talos-tpm2"
)

Variables

View Source
var ErrTokenInvalid = errors.New("invalid token")

ErrTokenInvalid is returned by the keys handler if the supplied token is not valid.

Functions

This section is empty.

Types

type Handler

type Handler interface {
	NewKey(context.Context) (*encryption.Key, token.Token, error)
	GetKey(context.Context, token.Token) (*encryption.Key, error)
	Slot() int
}

Handler manages key lifecycle.

func NewHandler

func NewHandler(cfg block.EncryptionKey, options ...KeyOption) (Handler, error)

NewHandler key using provided config.

type KMSKeyHandler added in v1.5.0

type KMSKeyHandler struct {
	KeyHandler
	// contains filtered or unexported fields
}

KMSKeyHandler seals token using KMS service.

func NewKMSKeyHandler added in v1.5.0

func NewKMSKeyHandler(key KeyHandler, kmsEndpoint string, getSystemInfo helpers.SystemInformationGetter) (*KMSKeyHandler, error)

NewKMSKeyHandler creates new KMSKeyHandler.

func (*KMSKeyHandler) GetKey added in v1.5.0

func (h *KMSKeyHandler) GetKey(ctx context.Context, t token.Token) (*encryption.Key, error)

GetKey implements Handler interface.

func (*KMSKeyHandler) NewKey added in v1.5.0

NewKey implements Handler interface.

type KMSToken added in v1.5.0

type KMSToken struct {
	SealedData []byte `json:"sealedData"`
}

KMSToken is the userdata stored in the partition token metadata.

type KeyHandler added in v1.5.0

type KeyHandler struct {
	// contains filtered or unexported fields
}

KeyHandler is the base class for all key handlers.

func (*KeyHandler) Slot added in v1.5.0

func (k *KeyHandler) Slot() int

Slot implements Handler interface.

type KeyOption

type KeyOption func(o *KeyOptions) error

KeyOption represents key option callback used in KeyHandler.GetKey func.

func WithSystemInformationGetter added in v1.5.0

func WithSystemInformationGetter(getter helpers.SystemInformationGetter) KeyOption

WithSystemInformationGetter passes the node UUID to the key handler.

func WithVolumeID added in v1.8.0

func WithVolumeID(label string) KeyOption

WithVolumeID passes the partition label to the key handler.

type KeyOptions

type KeyOptions struct {
	VolumeID             string
	GetSystemInformation helpers.SystemInformationGetter
}

KeyOptions set of options to be used in KeyHandler.GetKey func.

func NewDefaultOptions

func NewDefaultOptions(options []KeyOption) (*KeyOptions, error)

NewDefaultOptions creates new KeyOptions.

type NodeIDKeyHandler

type NodeIDKeyHandler struct {
	KeyHandler
	// contains filtered or unexported fields
}

NodeIDKeyHandler generates the key based on current node information and provided template string.

func NewNodeIDKeyHandler

func NewNodeIDKeyHandler(key KeyHandler, partitionLabel string, systemInfoGetter helpers.SystemInformationGetter) *NodeIDKeyHandler

NewNodeIDKeyHandler creates new NodeIDKeyHandler.

func (*NodeIDKeyHandler) GetKey

GetKey implements Handler interface.

func (*NodeIDKeyHandler) NewKey added in v1.5.0

NewKey implements Handler interface.

type StaticKeyHandler

type StaticKeyHandler struct {
	KeyHandler
	// contains filtered or unexported fields
}

StaticKeyHandler just handles the static key value all the time.

func NewStaticKeyHandler

func NewStaticKeyHandler(key KeyHandler, data []byte) *StaticKeyHandler

NewStaticKeyHandler creates new EphemeralKeyHandler.

func (*StaticKeyHandler) GetKey

GetKey implements Handler interface.

func (*StaticKeyHandler) NewKey added in v1.5.0

NewKey implements Handler interface.

type TPMKeyHandler added in v1.5.0

type TPMKeyHandler struct {
	KeyHandler
	// contains filtered or unexported fields
}

TPMKeyHandler seals token using TPM.

func NewTPMKeyHandler added in v1.5.0

func NewTPMKeyHandler(key KeyHandler, checkSecurebootOnEnroll bool) (*TPMKeyHandler, error)

NewTPMKeyHandler creates new TPMKeyHandler.

func (*TPMKeyHandler) GetKey added in v1.5.0

func (h *TPMKeyHandler) GetKey(ctx context.Context, t token.Token) (*encryption.Key, error)

GetKey implements Handler interface.

func (*TPMKeyHandler) NewKey added in v1.5.0

NewKey implements Handler interface.

type TPMToken added in v1.5.0

type TPMToken struct {
	KeySlots          []int  `json:"keyslots"`
	SealedBlobPrivate []byte `json:"sealed_blob_private"`
	SealedBlobPublic  []byte `json:"sealed_blob_public"`
	PCRs              []int  `json:"pcrs"`
	Alg               string `json:"alg"`
	PolicyHash        []byte `json:"policy_hash"`
	KeyName           []byte `json:"key_name"`
}

TPMToken is the userdata stored in the partition token metadata.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL