Documentation
¶
Overview ¶
Package db provides a secrets database that is encrypted at rest.
The database is encrypted at rest using a Data Encryption Key (DEK). The DEK is stored alongside the database, but is itself encrypted at rest using a Key Encryption Key (KEK). In production, the KEK should be stored in a key management system like AWS KMS.
This layering of encryption means access to the remote KMS is required at Open time, to decrypt the local DEK that in turn can decrypt the database proper. But once the DEK has been decrypted locally, we can decrypt and re-encrypt the database at will (e.g. to save changes) without having a dependency on a remote system.
Index ¶
- Variables
- type Caller
- type DB
- func (db *DB) Activate(caller Caller, name string, version api.SecretVersion) error
- func (db *DB) Delete(caller Caller, name string) error
- func (db *DB) DeleteVersion(caller Caller, name string, version api.SecretVersion) error
- func (db *DB) Get(caller Caller, name string) (*api.SecretValue, error)
- func (db *DB) GetConditional(caller Caller, name string, oldVersion api.SecretVersion) (*api.SecretValue, error)
- func (db *DB) GetVersion(caller Caller, name string, version api.SecretVersion) (*api.SecretValue, error)
- func (db *DB) Info(caller Caller, name string) (*api.SecretInfo, error)
- func (db *DB) List(caller Caller) ([]*api.SecretInfo, error)
- func (db *DB) Path() string
- func (db *DB) Put(caller Caller, name string, value []byte) (api.SecretVersion, error)
- func (db *DB) WriteGen() uint64
Constants ¶
This section is empty.
Variables ¶
var ( // ErrAccessDenied is the error returned by DB methods when the // caller lacks necessary permissions. ErrAccessDenied = errors.New("access denied") // ErrNotFound is the error returned by DB methods when the // database lacks a necessary secret or secret version. ErrNotFound = errors.New("not found") )
Functions ¶
This section is empty.
Types ¶
type Caller ¶
type Caller struct {
// Principal is the caller identity that gets written to audit
// logs.
Principal audit.Principal
// Permissions are the permissions the caller has.
Permissions acl.Rules
}
Caller encapsulates a caller identity. It is required by all database methods. The contents of Caller should be derived from a tailsale WhoIs API call.
type DB ¶
type DB struct {
// contains filtered or unexported fields
}
DB is an encrypted secrets database.
func Open ¶
Open loads the secrets database at path, decrypting it using key. If no database exists at path, a new empty database is created.
func (*DB) Delete ¶
Delete deletes all the versions of a secret. If the specified secret does not exist, this is a no-op without error, provided the caller has access to delete things at all.
func (*DB) DeleteVersion ¶
DeleteVersion deletes the specified version of a secret. It reports an error without change if version is the active version.
func (*DB) GetConditional ¶
func (db *DB) GetConditional(caller Caller, name string, oldVersion api.SecretVersion) (*api.SecretValue, error)
GetConditional returns a secret's active value if it is different from oldVersion. If the active version is the same as oldVersion, it reports api.ErrValueNotChanged.
func (*DB) GetVersion ¶
func (db *DB) GetVersion(caller Caller, name string, version api.SecretVersion) (*api.SecretValue, error)
GetVersion returns a secret's value at a specific version.
func (*DB) List ¶
func (db *DB) List(caller Caller) ([]*api.SecretInfo, error)
List returns secret metadata for all secrets on which at least one member of 'from' has acl.ActionInfo permissions.
Source Files